Jump to content

When someone gets time would you have a look at these files?


Recommended Posts

My issues started with my other computer, I found 4 trojans or rather I should say Malwarebytes anti rootkit found 4 trojans. Cleanup seemed to go ok, with no issues. So I decided I had better run my scanners on this computer just in case. Have not had any issues with this computer other than a windows error pops up once in a while and several months ago I ran system restore and since then I have had trouble with windows updates.Everytime you shut the computer down it wants to install the same updates. Anyway other than those two issuse this computer has been running fine for it's age.

But when I tried to run malwarebytes anti rootkit I started running into problems. Anti rootkit won't run at the present time it keeps telling me administrator priviledges are needed to run this program. A couple of times it has said something about a DDA driver did not load. I am an administrator on this machine and I even created a new admin account and gave it a password and it still won't run.

I tried running Kaspersky TDSSKiller and it just says can't load driver. ( Sorry about that I tried that before I found these forums)

So here are the contents of the two files created by dds.scr:

dds.txt

=============

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22

Run by Bryan at 22:06:11 on 2013-05-21

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1329 [GMT -4:00]

.

AV: Trend Micro Titanium Internet Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}

.

============== Running Processes ================

.

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe

C:\Program Files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe

C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe

C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPNetworkCommunicator.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

C:\WINDOWS\system32\svchost.exe -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\System32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\System32\svchost.exe -k imgsvc

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.charter.net/index.php?inc=1

uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/

BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - c:\program files\trend micro\amsp\module\20004\1.5.1505\6.6.1088\TmIEPlg.dll

BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: TmBpIeBHO Class: {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - <orphaned>

EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>

uRun: [HP Officejet Pro 8600 (NET)] "c:\program files\hp\hp officejet pro 8600\bin\ScanToPCActivationApp.exe" -deviceID "CN26KBR2YD05KD:NW" -scfn "HP Officejet Pro 8600 (NET)" -AutoStart 1

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [Trend Micro Titanium] "c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe" -set Silent "1" SplashURL ""

mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe"

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [Ad-Aware Browsing Protection] "c:\documents and settings\all users\application data\ad-aware browsing protection\adawarebp.exe"

mRun: [iClean] "c:\program files\aladdin systems\iclean\iClean.exe" /I

uPolicies-Explorer: NoDriveTypeAutoRun = dword:323

uPolicies-Explorer: NoDriveAutoRun = dword:67108863

uPolicies-Explorer: NoDrives = dword:0

mPolicies-Explorer: NoDriveAutoRun = dword:67108863

mPolicies-Explorer: NoDriveTypeAutoRun = dword:323

mPolicies-Explorer: NoDrives = dword:0

mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1

mPolicies-Explorer: NoDriveTypeAutoRun = dword:323

mPolicies-Explorer: NoDriveAutoRun = dword:67108863

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE}

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

.

INFO: HKCU has more than 50 listed domains.

If you wish to scan all of them, select the 'Force scan all domains' option.

.

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab34120.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {20722C4E-9050-45C8-8D1A-816C4A06AD90} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_6/PhotoCenter_ActiveX_Control.cab

DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} - hxxp://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.87.cab

DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab

DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} - hxxp://zone.msn.com/bingame/pacz/default/pandaonline.cab

DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} - hxxp://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab

DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab

DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab

DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://zone.msn.com/bingame/dsh2/default/DinerDash2.1.0.0.68.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194099141000

DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1346788845619

DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://zone.msn.com/bingame/chnz/default/mjolauncher.cab

DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37390.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} - hxxp://zone.msn.com/bingame/zpagames/zpa_wof.cab34501.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} - hxxp://cdn2.zone.msn.com/binframework/v10/ZAxRcMgr.cab31267.cab

DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} - hxxp://myitlab.pearsoned.com/Pegasus/Modules/SIMIntegration/Resources/ax/stub.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CC1E9F72-AFBE-4C67-B6E1-AB992035E562} - hxxp://www.racelm.com/rlm/cfmturbo/cfm2005turboDMCrsnorun.CAB

DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} - hxxp://zone.msn.com/bingame/gold/default/gf.cab

DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab35645.cab

DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://sympatico.zone.msn.com/bingame/dash/default/DinerDash.1.0.0.94.cab

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab

TCP: NameServer = 24.159.64.23 24.217.201.67 24.177.176.38

TCP: Interfaces\{545E5E51-44BC-4EED-8292-ABD1FD290F59} : DHCPNameServer = 24.159.64.23 24.217.201.67 24.177.176.38

Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll

Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\1.5.1505\6.6.1088\TmIEPlg.dll

Notify: !SASWinLogon - <no file>

Notify: crypt32chain - <no file>

Notify: cryptnet - <no file>

Notify: cscdll - <no file>

Notify: dimsntfy - <no file>

Notify: ScCertProp - <no file>

Notify: Schedule - <no file>

Notify: sclgntfy - <no file>

Notify: SensLogn - <no file>

Notify: termsrv - <no file>

Notify: wlballoon - <no file>

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\bryan\application data\mozilla\firefox\profiles\gawsskto.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.charter.net/index.php?inc=1

FF - prefs.js: network.proxy.type - 0

FF - component: c:\program files\trend micro\amsp\module\20004\1.5.1505\6.6.1088\firefoxextension\components\TmFFEx6.dll

FF - component: c:\program files\trend micro\amsp\module\20004\1.5.1505\6.6.1088\firefoxextension\components\TmFFExt.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Trend Micro NSC Firefox Extension: {22C7F6C6-8D67-4534-92B5-529A0EC09405} - c:\program files\trend micro\amsp\module\20004\1.5.1505\6.6.1088\firefoxextension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

============= SERVICES / DRIVERS ===============

.

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-6-6 353168]

R2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2011-1-29 188272]

R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2011-6-6 820568]

R2 RUBotted;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\TMRUBotted.exe [2009-9-25 582992]

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2011-1-29 64080]

R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2009-9-25 206608]

S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2009-12-25 18560]

S3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [2004-9-5 95232]

S3 RegFilter;RegFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\RegFilter.sys [2011-8-14 30368]

S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2009-9-25 206608]

S3 UrlFilter;UrlFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\UrlFilter.sys [2011-8-14 16080]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-11-14 392824]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2003-4-23 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 FileMonitor;FileMonitor;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\FileMonitor.sys [2011-8-14 239600]

.

=============== File Associations ===============

.

ShellExec: FRONTPG.EXE: edit=c:\progra~1\micros~4\office\FRONTPG.EXE

ShellExec: Photoshop.exe: open=c:\program files\adobe\photoshop 7.0\Photoshop.exe

.

=============== Created Last 30 ================

.

2013-05-21 10:37:55 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2013-05-21 03:30:02 30464 ----a-w- c:\windows\system32\drivers\hitmanpro37.sys

2013-05-21 03:29:38 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro

2013-05-21 02:59:52 -------- d-----w- C:\RegBackup

2013-05-06 01:37:19 -------- d-sha-r- C:\cmdcons

2013-05-06 01:34:29 98816 ----a-w- c:\windows\sed.exe

2013-05-06 01:34:29 256000 ----a-w- c:\windows\PEV.exe

2013-05-06 01:34:29 208896 ----a-w- c:\windows\MBR.exe

.

==================== Find3M ====================

.

2013-04-21 13:25:02 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-04-21 13:25:02 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-04-16 22:17:14 43520 ----a-w- c:\windows\system32\licmgr10.dll

2013-04-16 22:17:14 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2013-04-12 23:28:55 385024 ----a-w- c:\windows\system32\html.iec

2013-04-10 01:31:19 1876352 ----a-w- c:\windows\system32\win32k.sys

2013-04-04 18:50:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-03-08 08:36:22 293376 ----a-w- c:\windows\system32\winsrv.dll

2013-03-07 01:28:24 2193408 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-03-07 00:50:28 2070016 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-02-27 07:56:51 2067456 ----a-w- c:\windows\system32\mstscax.dll

.

============= FINISH: 22:07:06.12 ===============

attach.txt

===========

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 9/5/2004 12:27:16 AM

System Uptime: 5/21/2013 9:15:59 PM (1 hours ago)

.

Motherboard: First International Computer, Inc. | | AU31

Processor: AMD Athlon XP 2500+ | Socket A | 1837/166mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 149 GiB total, 119.939 GiB free.

D: is CDROM ()

E: is CDROM ()

F: is Removable

G: is Removable

H: is Removable

I: is Removable

J: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP3264: 4/4/2013 3:00:23 AM - Software Distribution Service 3.0

RP3265: 4/5/2013 3:00:26 AM - Software Distribution Service 3.0

RP3266: 4/6/2013 3:00:26 AM - Software Distribution Service 3.0

RP3267: 4/7/2013 3:00:24 AM - Software Distribution Service 3.0

RP3268: 4/8/2013 3:00:24 AM - Software Distribution Service 3.0

RP3269: 4/11/2013 10:19:45 AM - Software Distribution Service 3.0

RP3270: 4/12/2013 3:00:30 AM - Software Distribution Service 3.0

RP3271: 4/13/2013 3:00:35 AM - Software Distribution Service 3.0

RP3272: 4/14/2013 3:00:40 AM - Software Distribution Service 3.0

RP3273: 4/15/2013 3:00:26 AM - Software Distribution Service 3.0

RP3274: 4/16/2013 3:00:24 AM - Software Distribution Service 3.0

RP3275: 4/17/2013 3:00:23 AM - Software Distribution Service 3.0

RP3276: 4/18/2013 3:00:26 AM - Software Distribution Service 3.0

RP3277: 4/19/2013 3:00:25 AM - Software Distribution Service 3.0

RP3278: 4/20/2013 3:00:24 AM - Software Distribution Service 3.0

RP3279: 4/21/2013 3:00:25 AM - Software Distribution Service 3.0

RP3280: 4/22/2013 3:00:24 AM - Software Distribution Service 3.0

RP3281: 4/23/2013 3:00:23 AM - Software Distribution Service 3.0

RP3282: 4/24/2013 3:00:23 AM - Software Distribution Service 3.0

RP3283: 4/25/2013 3:00:23 AM - Software Distribution Service 3.0

RP3284: 4/26/2013 3:00:25 AM - Software Distribution Service 3.0

RP3285: 4/27/2013 3:02:10 AM - Software Distribution Service 3.0

RP3286: 4/28/2013 3:00:27 AM - Software Distribution Service 3.0

RP3287: 4/29/2013 3:00:23 AM - Software Distribution Service 3.0

RP3288: 4/30/2013 3:00:25 AM - Software Distribution Service 3.0

RP3289: 5/1/2013 3:00:24 AM - Software Distribution Service 3.0

RP3290: 5/2/2013 4:49:12 PM - Software Distribution Service 3.0

RP3291: 5/3/2013 3:00:24 AM - Software Distribution Service 3.0

RP3292: 5/4/2013 3:00:23 AM - Software Distribution Service 3.0

RP3293: 5/5/2013 3:00:23 AM - Software Distribution Service 3.0

RP3294: 5/5/2013 10:02:37 PM - Software Distribution Service 3.0

RP3295: 5/9/2013 10:49:30 AM - System Checkpoint

RP3296: 5/10/2013 3:00:24 AM - Software Distribution Service 3.0

RP3297: 5/11/2013 3:00:36 AM - Software Distribution Service 3.0

RP3298: 5/12/2013 3:00:34 AM - Software Distribution Service 3.0

RP3299: 5/13/2013 3:00:24 AM - Software Distribution Service 3.0

RP3300: 5/14/2013 3:00:24 AM - Software Distribution Service 3.0

RP3301: 5/15/2013 3:00:24 AM - Software Distribution Service 3.0

RP3302: 5/16/2013 3:00:24 AM - Software Distribution Service 3.0

RP3303: 5/17/2013 3:00:34 AM - Software Distribution Service 3.0

RP3304: 5/20/2013 9:09:32 PM - Software Distribution Service 3.0

RP3305: 5/20/2013 10:59:48 PM - Tweaking.com - Windows Repair

RP3306: 5/20/2013 11:46:06 PM - Tweaking.com - Windows Repair

.

==== Installed Programs ======================

.

56Kbps Internal Modem

Absolute Beginner-Lesson01VB

Active Disk

Ad-Aware Browsing Protection

Adobe Acrobat 5.0

Adobe Digital Editions

Adobe Flash Player 10 Plugin

Adobe Flash Player 11 ActiveX

Adobe Photoshop 7.0

Adobe Reader 7.0.9

Advanced SystemCare 4

America Online (Choose which version to remove)

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Bonjour

Canon Camera Access Library

Canon Camera Support Core Library

Canon Camera Window DC_DV 5 for ZoomBrowser EX

Canon Camera Window DC_DV 6 for ZoomBrowser EX

Canon Camera Window MC 6 for ZoomBrowser EX

Canon G.726 WMP-Decoder

Canon MovieEdit Task for ZoomBrowser EX

Canon RAW Image Task for ZoomBrowser EX

Canon RemoteCapture Task for ZoomBrowser EX

Canon Utilities EOS Utility

Canon Utilities PhotoStitch

Canon Utilities ZoomBrowser EX

CCleaner

CompTIA Network+ N10-004 SE

Corel Business Applications

Coupon Printer for Windows

Critical Update for Windows Media Player 11 (KB959772)

Deutz Engine

DocProc

DocProcQFolder

Easy CD & DVD Creator 6

eMachines Bay Reader V1.00

Garmin USB Drivers

Garmin WebUpdater

Glary Utilities 2.40.0.1326

Hallmark Card Studio Special Edition

HighMAT Extension to Microsoft Windows XP CD Writing Wizard

HijackThis 2.0.2

Hotfix for Microsoft .NET Framework 3.0 (KB932471)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Format SDK (KB902344)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB2570791)

Hotfix for Windows XP (KB2633952)

Hotfix for Windows XP (KB2756822)

Hotfix for Windows XP (KB2779562)

Hotfix for Windows XP (KB942288-v3)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

HP Driver Diagnostics

HP Officejet Pro 8600 Basic Device Software

HP Officejet Pro 8600 Help

HP Officejet Pro 8600 Product Improvement Study

HP Update

I.R.I.S. OCR

iClean

IObit Malware Fighter

IomegaWare 4.0.3

Java Auto Updater

Java 6 Update 22

JEOPARDY! (remove only)

LeapFrog Connect

LeapFrog Tag Junior Plugin

Learn2 Player (Uninstall Only)

Macromedia Dreamweaver MX

Macromedia Extension Manager

Macromedia Fireworks MX

Macromedia Flash MX

Macromedia FreeHand 10

Mah Jong Quest

Malwarebytes Anti-Malware version 1.75.0.1300

Microsoft .NET Framework 1.1

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft 70-680 TS Windows 7, Configuring SE

Microsoft Application Error Reporting

Microsoft Automated Troubleshooting Services Shim

Microsoft Base Smart Card Cryptographic Service Provider Package

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

Microsoft Money 2004

Microsoft Money 2004 System Pack

Microsoft National Language Support Downlevel APIs

Microsoft Office 2000 Premium

Microsoft Silverlight

Microsoft USB Flash Drive Manager

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Web Publishing Wizard 1.53

Microsoft Works 7.0

Mozilla Firefox (3.6.8)

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6.0 Parser (KB933579)

Multimedia Keyboard Driver

NVIDIA Drivers

NVIDIA nView Desktop Manager

NVIDIA Photoshop Plug-ins

OCR Software by I.R.I.S 7.0

Photo Story 3 for Windows

PowerDVD

PrintMaster Platinum 4.00

QuickTime

RealPlayer Basic

RegScrubXP 3.25

Samsung USB Driver (MCCI 3.40)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)

Security Update for Microsoft .NET Framework 4 Extended (KB2416472)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Security Update for Microsoft .NET Framework 4 Extended (KB2736428)

Security Update for Microsoft .NET Framework 4 Extended (KB2742595)

Security Update for Microsoft Windows (KB2564958)

Security Update for Windows Internet Explorer 7 (KB928090)

Security Update for Windows Internet Explorer 7 (KB929969)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 8 (KB2183461)

Security Update for Windows Internet Explorer 8 (KB2360131)

Security Update for Windows Internet Explorer 8 (KB2416400)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2530548)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2559049)

Security Update for Windows Internet Explorer 8 (KB2586448)

Security Update for Windows Internet Explorer 8 (KB2618444)

Security Update for Windows Internet Explorer 8 (KB2647516)

Security Update for Windows Internet Explorer 8 (KB2675157)

Security Update for Windows Internet Explorer 8 (KB2699988)

Security Update for Windows Internet Explorer 8 (KB2722913)

Security Update for Windows Internet Explorer 8 (KB2744842)

Security Update for Windows Internet Explorer 8 (KB2761465)

Security Update for Windows Internet Explorer 8 (KB2792100)

Security Update for Windows Internet Explorer 8 (KB2797052)

Security Update for Windows Internet Explorer 8 (KB2799329)

Security Update for Windows Internet Explorer 8 (KB2809289)

Security Update for Windows Internet Explorer 8 (KB2817183)

Security Update for Windows Internet Explorer 8 (KB2829530)

Security Update for Windows Internet Explorer 8 (KB2847204)

Security Update for Windows Internet Explorer 8 (KB969897)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB972260)

Security Update for Windows Internet Explorer 8 (KB974455)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2536276)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2555917)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567053)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2584146)

Security Update for Windows XP (KB2585542)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB2598479)

Security Update for Windows XP (KB2603381)

Security Update for Windows XP (KB2618451)

Security Update for Windows XP (KB2619339)

Security Update for Windows XP (KB2620712)

Security Update for Windows XP (KB2621440)

Security Update for Windows XP (KB2624667)

Security Update for Windows XP (KB2631813)

Security Update for Windows XP (KB2633171)

Security Update for Windows XP (KB2639417)

Security Update for Windows XP (KB2641653)

Security Update for Windows XP (KB2646524)

Security Update for Windows XP (KB2647518)

Security Update for Windows XP (KB2653956)

Security Update for Windows XP (KB2655992)

Security Update for Windows XP (KB2659262)

Security Update for Windows XP (KB2660465)

Security Update for Windows XP (KB2661637)

Security Update for Windows XP (KB2676562)

Security Update for Windows XP (KB2685939)

Security Update for Windows XP (KB2686509)

Security Update for Windows XP (KB2691442)

Security Update for Windows XP (KB2695962)

Security Update for Windows XP (KB2698365)

Security Update for Windows XP (KB2705219-v2)

Security Update for Windows XP (KB2705219)

Security Update for Windows XP (KB2707511)

Security Update for Windows XP (KB2709162)

Security Update for Windows XP (KB2712808)

Security Update for Windows XP (KB2718523)

Security Update for Windows XP (KB2719985)

Security Update for Windows XP (KB2723135)

Security Update for Windows XP (KB2724197)

Security Update for Windows XP (KB2727528)

Security Update for Windows XP (KB2731847)

Security Update for Windows XP (KB2753842-v2)

Security Update for Windows XP (KB2753842)

Security Update for Windows XP (KB2757638)

Security Update for Windows XP (KB2758857)

Security Update for Windows XP (KB2761226)

Security Update for Windows XP (KB2770660)

Security Update for Windows XP (KB2778344)

Security Update for Windows XP (KB2779030)

Security Update for Windows XP (KB2780091)

Security Update for Windows XP (KB2799494)

Security Update for Windows XP (KB2802968)

Security Update for Windows XP (KB2807986)

Security Update for Windows XP (KB2808735)

Security Update for Windows XP (KB2813170)

Security Update for Windows XP (KB2813345)

Security Update for Windows XP (KB2820197)

Security Update for Windows XP (KB2820917)

Security Update for Windows XP (KB2829361)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

Service Pack 1 for SQL Server 2008 (KB968369)

Smart Defrag

SmartMorph

Spybot - Search & Destroy

StickyNote 9

SUPERAntiSpyware

Titanium Internet Security

Trend Micro RUBotted

Trend Micro™ Titanium™ Internet Security

Tweak UI

Tweaking.com - Windows Repair (All in One)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Windows (KB971513)

Update for Windows Internet Explorer 8 (KB2447568)

Update for Windows Internet Explorer 8 (KB971930)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB976749)

Update for Windows Internet Explorer 8 (KB980182)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2492386)

Update for Windows XP (KB2541763)

Update for Windows XP (KB2607712)

Update for Windows XP (KB2616676)

Update for Windows XP (KB2641690)

Update for Windows XP (KB2661254-v2)

Update for Windows XP (KB2718704)

Update for Windows XP (KB2736233)

Update for Windows XP (KB2749655)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Use the entry named LeapFrog Connect to uninstall (LeapFrog Tag Junior Plugin)

Visual C++ 2008 x86 Runtime - (v9.0.30729)

Visual C++ 2008 x86 Runtime - v9.0.30729.01

WebFldrs XP

WebReg

Winamp (remove only)

Windows Backup Utility

Windows Driver Package - Garmin (grmnusb) GARMIN Devices (04/19/2012 2.3.1.0)

Windows Driver Package - LeapFrog (FlyUsb) USB (11/05/2008 1.1.1.0)

Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012)

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage v1.3.0254.0

Windows Genuine Advantage Validation Tool (KB892130)

Windows Imaging Component

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Management Framework Core

Windows Media Format 11 runtime

Windows Media Format SDK Hotfix - KB891122

Windows Media Player 11

Windows Movie Maker 2.0

Windows Presentation Foundation

Windows XP Service Pack 3

WinMorph™ 3.01

WinRAR archiver

WinZip

XML Paper Specification Shared Components Pack 1.0

.

==== Event Viewer Messages From Past Week ========

.

5/20/2013 9:19:23 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK7 cdudf_xp Fips Lbd SASDIFSV SASKUTIL tmtdi

5/20/2013 9:18:37 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

5/20/2013 9:16:36 PM, error: NtServicePack [4379] - Windows XP Hotfix KB2829530-IE8 installation failed.

KB2829530 installation did not complete.

5/20/2013 9:16:36 PM, error: NtServicePack [4373] - Windows XP KB2829530-IE8 installation failed.

Insufficient system resources exist to complete the requested service.

5/20/2013 9:16:12 PM, error: NtServicePack [4379] - Windows XP Hotfix KB2691442 installation failed.

KB2691442 installation did not complete.

5/20/2013 9:16:12 PM, error: NtServicePack [4373] - Windows XP KB2691442 installation failed.

Insufficient system resources exist to complete the requested service.

5/20/2013 9:15:50 PM, error: NtServicePack [4379] - Windows XP Hotfix KB2655992 installation failed.

KB2655992 installation did not complete.

5/20/2013 9:15:50 PM, error: NtServicePack [4373] - Windows XP KB2655992 installation failed.

Insufficient system resources exist to complete the requested service.

5/20/2013 11:20:14 PM, error: VolSnap [25] - The shadow copy of volume C: was aborted because the diff area file could not grow in time. Consider reducing the IO load on this system to avoid this problem in the future.

5/20/2013 11:20:12 PM, error: VolSnap [10] - The shadow copy of volume C: took too long to install.

5/20/2013 11:02:55 PM, error: VolSnap [12] - The shadow copy of volume C: became low on diff area space before it was properly installed.

5/20/2013 10:31:42 PM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for ImagePath with the following error: Insufficient system resources exist to complete the requested service.

5/17/2013 3:05:01 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x800705aa: Cumulative Security Update for Internet Explorer 8 for Windows XP (KB2829530).

5/17/2013 3:04:19 AM, error: NtServicePack [4379] - Windows XP Hotfix KB2829530-IE8 installation failed.

KB2829530 installation did not complete.

5/17/2013 3:04:19 AM, error: NtServicePack [4373] - Windows XP KB2829530-IE8 installation failed.

Insufficient system resources exist to complete the requested service.

5/17/2013 3:03:55 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x800705aa: Security Update for Windows XP (KB2691442).

5/17/2013 3:03:50 AM, error: NtServicePack [4379] - Windows XP Hotfix KB2691442 installation failed.

KB2691442 installation did not complete.

5/17/2013 3:03:50 AM, error: NtServicePack [4373] - Windows XP KB2691442 installation failed.

Insufficient system resources exist to complete the requested service.

5/17/2013 3:03:32 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x800705aa: Security Update for Windows XP (KB2655992).

5/17/2013 3:03:26 AM, error: NtServicePack [4379] - Windows XP Hotfix KB2655992 installation failed.

KB2655992 installation did not complete.

5/17/2013 3:03:26 AM, error: NtServicePack [4373] - Windows XP KB2655992 installation failed.

Insufficient system resources exist to complete the requested service.

5/17/2013 3:03:10 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x800705aa: Security Update for Internet Explorer 8 for Windows XP (KB2847204).

5/17/2013 3:03:05 AM, error: NtServicePack [4379] - Windows XP Hotfix KB2847204-IE8 installation failed.

KB2847204 installation did not complete.

5/17/2013 3:03:05 AM, error: NtServicePack [4373] - Windows XP KB2847204-IE8 installation failed.

Insufficient system resources exist to complete the requested service.

5/17/2013 3:01:17 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista, and Windows Server 2008 x86 (KB2742597).

5/16/2013 3:24:50 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdudf_xp Lbd

5/16/2013 3:23:27 AM, error: Service Control Manager [7001] - The Windows Media Player Network Sharing Service service depends on the Universal Plug and Play Device Host service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

5/16/2013 3:19:49 AM, error: NtServicePack [4373] - Windows XP KB2829530-IE8 installation failed.

Insufficient system resources exist to complete the requested service.

5/16/2013 3:19:00 AM, error: NtServicePack [4379] - Windows XP Hotfix KB2691442 installation failed.

KB2691442 installation did not complete.

5/16/2013 3:19:00 AM, error: NtServicePack [4373] - Windows XP KB2691442 installation failed.

Insufficient system resources exist to complete the requested service.

5/16/2013 3:18:34 AM, error: NtServicePack [4379] - Windows XP Hotfix KB2655992 installation failed.

KB2655992 installation did not complete.

5/16/2013 3:18:34 AM, error: NtServicePack [4373] - Windows XP KB2655992 installation failed.

Insufficient system resources exist to complete the requested service.

5/16/2013 3:08:02 AM, error: NtServicePack [4373] - Windows XP KB2847204-IE8 installation failed.

Insufficient system resources exist to complete the requested service.

5/15/2013 3:03:35 AM, error: NtServicePack [4379] - Windows XP Hotfix KB2691442 installation failed.

KB2691442 installation did not complete.

5/15/2013 3:03:35 AM, error: NtServicePack [4373] - Windows XP KB2691442 installation failed.

Insufficient system resources exist to complete the requested service.

5/15/2013 3:03:18 AM, error: NtServicePack [4379] - Windows XP Hotfix KB2655992 installation failed.

KB2655992 installation did not complete.

5/15/2013 3:03:18 AM, error: NtServicePack [4373] - Windows XP KB2655992 installation failed.

Insufficient system resources exist to complete the requested service.

5/15/2013 3:03:07 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x800705aa: Cumulative Security Update for Internet Explorer 8 for Windows XP (KB2817183).

5/15/2013 3:03:01 AM, error: NtServicePack [4379] - Windows XP Hotfix KB2817183-IE8 installation failed.

KB2817183 installation did not complete.

5/15/2013 3:03:01 AM, error: NtServicePack [4373] - Windows XP KB2817183-IE8 installation failed.

Insufficient system resources exist to complete the requested service.

5/15/2013 3:01:16 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x800b0110: nVidia - Other hardware - NVIDIA GeForce 7800 GS.

5/14/2013 3:04:22 AM, error: NtServicePack [4379] - Windows XP Hotfix KB2691442 installation failed.

KB2691442 installation did not complete.

5/14/2013 3:04:22 AM, error: NtServicePack [4373] - Windows XP KB2691442 installation failed.

Insufficient system resources exist to complete the requested service.

5/14/2013 3:04:01 AM, error: NtServicePack [4379] - Windows XP Hotfix KB2655992 installation failed.

KB2655992 installation did not complete.

5/14/2013 3:04:01 AM, error: NtServicePack [4373] - Windows XP KB2655992 installation failed.

Insufficient system resources exist to complete the requested service.

5/14/2013 3:03:40 AM, error: NtServicePack [4379] - Windows XP Hotfix KB2817183-IE8 installation failed.

KB2817183 installation did not complete.

5/14/2013 3:03:40 AM, error: NtServicePack [4373] - Windows XP KB2817183-IE8 installation failed.

Insufficient system resources exist to complete the requested service.

.

==== End Of File ===========================

If someone would have a look at these and let me know what my next plan of action should be I would greatly appreciate it.

Thanks for your time and trouble.

N. Bryan McC.

Link to post
Share on other sites

  • Replies 65
  • Created
  • Last Reply

Top Posters In This Topic

Hello NBryanM and welcome to Malwarebytes!

I am D-FRED-BROWN and I will be helping you. :)

Please print or save this topic. It will make it easier for you to follow the instructions and complete all of the necessary steps.

----------Step 1----------------

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

----------Step 2----------------

Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.

NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

----------Step 3----------------

Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

----------Step 4----------------

In your next reply, please include the following:

  • TDSSKiller's logfile
  • ComboFix's report (C:\ComboFix.txt)
  • Security Check checkup.txt

After that, please let me know: How is your computer running now? Do you have any questions or concerns you'd like me to address? Don't hesitate to ask. :)

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Note:

Please make sure you are subscribed to this topic: Click on the "Follow This Topic" Button (at the top right of this page), make sure that the "Receive notification" box is checked and that it is set to "Instantly"

-------> Your topic will be closed if you haven't replied within 3 days! <--------

(If I don't respond within 24 hours, please send me a PM)

-DFB

Link to post
Share on other sites

Thank you D-Fred-Brown for your time and help. Here are the reports you requested except for the TDSSKiller report which I could not get to run.

1.)Could not get TDSSKiller to run. Initialization would get up to 40% and I would get a green kaspersky error box that said "Can't load driver". I tried renaming the file, I tried changing the extension, neither worked. I downloaded a nother copy from a different source and same thing "Can't load driver".

2.)Combofix report:

ComboFix 13-05-21.01 - Bryan 05/22/2013 20:15:29.3.1 - x86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1746 [GMT -4:00]

Running from: k:\malware cleaners\ComboFix.exe

AV: Titanium Internet Security *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}

.

.

((((((((((((((((((((((((( Files Created from 2013-04-22 to 2013-05-22 )))))))))))))))))))))))))))))))

.

.

2013-05-21 10:37 . 2013-05-21 10:48 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2013-05-21 10:37 . 2013-05-21 10:48 143688 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2013-05-21 03:30 . 2013-05-21 03:35 30464 ----a-w- c:\windows\system32\drivers\hitmanpro37.sys

2013-05-21 03:29 . 2013-05-21 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro

2013-05-21 03:22 . 2013-05-21 03:22 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2013-05-21 02:59 . 2013-05-21 02:59 -------- d-----w- C:\RegBackup

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-05-21 03:55 . 2011-12-31 14:06 181064 ----a-w- c:\windows\PSEXESVC.EXE

2013-04-21 13:25 . 2013-04-21 13:25 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-04-21 13:25 . 2012-01-01 00:38 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-04-16 22:17 . 2003-04-23 23:52 43520 ----a-w- c:\windows\system32\licmgr10.dll

2013-04-16 22:17 . 2003-04-23 23:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2013-04-12 23:28 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec

2013-04-10 01:31 . 2003-04-23 23:52 1876352 ----a-w- c:\windows\system32\win32k.sys

2013-04-04 18:50 . 2011-02-21 02:52 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-03-08 08:36 . 2003-04-23 23:52 293376 ----a-w- c:\windows\system32\winsrv.dll

2013-03-07 01:28 . 2003-04-23 23:52 2193408 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-03-07 00:50 . 2002-08-29 01:04 2070016 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-02-27 07:56 . 2003-04-23 23:59 2067456 ----a-w- c:\windows\system32\mstscax.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HP Officejet Pro 8600 (NET)"="c:\program files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe" [2011-09-09 1804648]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]

"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-10-08 1111568]

"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 116752]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-03-24 49208]

"Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2012-08-08 540056]

"iClean"="c:\program files\Aladdin Systems\iClean\iClean.exe" [2002-06-24 212992]

.

c:\documents and settings\Tina\Start Menu\Programs\Startup\

PerfectPrint.LNK - c:\corel\Office7\Shared\PFit7\PFPPOP70.EXE [2009-9-16 282624]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe"

"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\StickyNote\\StickyNote.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=

"c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"34447:TCP"= 34447:TCP:rFactor TCP

"34397:UDP"= 34397:UDP:rFactor UDP

"34297:UDP"= 34297:UDP:rFactor Query

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [9/25/2009 7:42 PM 206608]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]

S2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [6/6/2011 11:19 PM 353168]

S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [1/29/2011 7:53 PM 188272]

S2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [6/6/2011 11:20 PM 820568]

S2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [9/25/2009 7:42 PM 582992]

S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [1/29/2011 7:55 PM 64080]

S3 60090679;60090679;c:\windows\system32\drivers\29542028.sys --> c:\windows\system32\drivers\29542028.sys [?]

S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/25/2009 11:23 AM 18560]

S3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [9/5/2004 2:22 AM 95232]

S3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [8/14/2011 12:16 AM 30368]

S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [9/25/2009 7:42 PM 206608]

S3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [8/14/2011 12:16 AM 16080]

S4 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [8/14/2011 12:16 AM 239600]

.

Contents of the 'Scheduled Tasks' folder

.

2013-05-21 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-04-21 13:25]

.

2013-05-21 c:\windows\Tasks\At1.job

- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2011-09-09 19:53]

.

2013-05-17 c:\windows\Tasks\At2.job

- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2011-09-09 19:53]

.

2013-05-21 c:\windows\Tasks\At3.job

- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2011-09-09 19:53]

.

2013-05-21 c:\windows\Tasks\At4.job

- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2011-09-09 19:53]

.

2013-05-21 c:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2011-12-23 14:50]

.

2013-05-22 c:\windows\Tasks\User_Feed_Synchronization-{546E5C0B-F7CF-4D94-A5CD-51A8CCC1C5F4}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.charter.net/index.php?inc=1

uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/

Trusted Zone: microsoft.com

TCP: DhcpNameServer = 24.159.64.23 24.217.201.67 24.177.176.38

DPF: {20722C4E-9050-45C8-8D1A-816C4A06AD90} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_6/PhotoCenter_ActiveX_Control.cab

DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37390.cab

DPF: {CC1E9F72-AFBE-4C67-B6E1-AB992035E562} - hxxp://www.racelm.com/rlm/cfmturbo/cfm2005turboDMCrsnorun.CAB

FF - ProfilePath - c:\documents and settings\Bryan\Application Data\Mozilla\Firefox\Profiles\gawsskto.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.charter.net/index.php?inc=1

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Trend Micro NSC Firefox Extension: {22C7F6C6-8D67-4534-92B5-529A0EC09405} - c:\program files\Trend Micro\AMSP\Module\20004\1.5.1505\6.6.1088\firefoxextension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-05-21 20:22

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,e8,ba,63,04,e3,27,42,8d,04,b4,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,e8,ba,63,04,e3,27,42,8d,04,b4,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]

@DACL=(02 0000)

@="Microsoft Disk Quota"

"NoMachinePolicy"=dword:00000000

"NoUserPolicy"=dword:00000001

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"RequiresSuccessfulRegistry"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000000

"DllName"=expand:"dskquota.dll"

"ProcessGroupPolicy"="ProcessGroupPolicy"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]

@DACL=(02 0000)

@="Internet Explorer Zonemapping"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"

"NoGPOListChanges"=dword:00000001

"RequiresSucessfulRegistry"=dword:00000001

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]

@DACL=(02 0000)

@="Internet Explorer User Accelerators"

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"NoGPOListChanges"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"

"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"

"GenerateGroupPolicy"="SceGenerateGroupPolicy"

"ExtensionRsopPlanningDebugLevel"=dword:00000001

"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"

"ExtensionDebugLevel"=dword:00000001

"DllName"=expand:"scecli.dll"

@="Security"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000001

"MaxNoGPOListChangesInterval"=dword:000003c0

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]

@DACL=(02 0000)

"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"ProcessGroupPolicy"="ProcessGroupPolicy"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

@="Internet Explorer Branding"

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000001

"NoMachinePolicy"=dword:00000001

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"

"DllName"=expand:"scecli.dll"

@="EFS recovery"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]

@DACL=(02 0000)

@="802.3 Group Policy"

"DisplayName"=expand:"@dot3gpclnt.dll,-100"

"ProcessGroupPolicyEx"="ProcessLANPolicyEx"

"GenerateGroupPolicy"="GenerateLANPolicy"

"DllName"=expand:"dot3gpclnt.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]

@DACL=(02 0000)

@="Microsoft Offline Files"

"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"

"EnableAsynchronousProcessing"=dword:00000000

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000000

"NoMachinePolicy"=dword:00000000

"NoSlowLink"=dword:00000000

"NoUserPolicy"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"ProcessGroupPolicy"="ProcessGroupPolicy"

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]

@DACL=(02 0000)

@="Software Installation"

"DllName"=expand:"appmgmts.dll"

"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"NoBackgroundPolicy"=dword:00000000

"RequiresSucessfulRegistry"=dword:00000000

"NoSlowLink"=dword:00000001

"PerUserLocalSettings"=dword:00000001

"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]

@DACL=(02 0000)

@="Internet Explorer Machine Accelerators"

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"NoGPOListChanges"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"

"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

@DACL=(02 0000)

"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"

"Logon"="SABWINLOLogon"

"Logoff"="SABWINLOLogoff"

"Startup"="SABWINLOStartup"

"Shutdown"="SABWINLOShutdown"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"crypt32.dll"

"Logoff"="ChainWlxLogoffEvent"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"cryptnet.dll"

"Logoff"="CryptnetWlxLogoffEvent"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

@DACL=(02 0000)

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]

@DACL=(02 0000)

"Asynchronous"=dword:00000001

"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"

"Startup"="WlDimsStartup"

"Shutdown"="WlDimsShutdown"

"Logon"="WlDimsLogon"

"Logoff"="WlDimsLogoff"

"StartShell"="WlDimsStartShell"

"Lock"="WlDimsLock"

"Unlock"="WlDimsUnlock"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

@DACL=(02 0000)

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=expand:"sclgntfy.dll"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

@DACL=(02 0000)

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]

@DACL=(02 0000)

"HelpAssistant"=dword:00000000

"TsInternetUser"=dword:00000000

"SQLAgentCmdExec"=dword:00000000

"NetShowServices"=dword:00000000

"IWAM_"=dword:00010000

"IUSR_"=dword:00010000

"VUSR_"=dword:00010000

"ASPNET"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(908)

c:\windows\System32\l3codeca.acm

.

- - - - - - - > 'explorer.exe'(1424)

c:\windows\system32\WININET.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

.

Completion time: 2013-05-21 20:25:13

ComboFix-quarantined-files.txt 2013-05-22 00:25

ComboFix2.txt 2013-05-21 02:48

ComboFix3.txt 2013-05-06 01:57

.

Pre-Run: 128,811,257,856 bytes free

Post-Run: 128,798,785,536 bytes free

.

- - End Of File - - 9974648BB5A2EADDE7BDB91398514EA7

3.)Security Check report:

Results of screen317's Security Check version 0.99.64

Windows XP Service Pack 3 x86

Internet Explorer 8

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Trend Micro RUBotted

Trend Micro™ Titanium™ Internet Security

`````````Anti-malware/Other Utilities Check:`````````

Ad-Aware

Out of date HijackThis installed!

Spybot - Search & Destroy

SUPERAntiSpyware

Malwarebytes Anti-Malware version 1.75.0.1300

HijackThis 2.0.2

CCleaner

Java 6 Update 22

Java version out of Date!

Adobe Flash Player 10 Flash Player out of Date!

Adobe Flash Player 10.1.82.76 Flash Player out of Date!

Adobe Reader 7

Mozilla Firefox (3.6.8) Firefox out of Date!

````````Process Check: objlist.exe by Laurent````````

Ad-Aware AAWService.exe is disabled!

Ad-Aware AAWTray.exe is disabled!

IObit IObit Malware Fighter IMFsrv.exe

Trend Micro RUBotted TMRUBotted.exe

Trend Micro UniClient UiFrmWrk uiWatchDog.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C:: 8%

````````````````````End of Log``````````````````````

Link to post
Share on other sites

No problem. :)

Forget about TDSSKiller for now. Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

Driver::

60090679

29542028

File::

c:\windows\system32\drivers\29542028.sys

c:\windows\system32\drivers\60090679.sys

Reboot::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now

Link to post
Share on other sites

D-Fred-Brown,

Should the above procedure be done in safe-mode or in normal windows mode? I normally run combofix in safe-mode. I am at work now but as soon as I get home tonight I will setup the script and run combofix as instructed.

Thanks Bryan.

Link to post
Share on other sites

Like I said in my first post the only two issues we have been having with this computer is we get a windows error that pops up once in awhile when it first boots up. Nothing crashes just a box pops up something about a file didn't load and wanting to send info to Microsoft I traced it down to a dot net framework 3.0 or 3.5. I uninstalled all the dot net frameworks and reinstalled them ran the windows fix it tool but never did get it fixed. The other problem was that every time you shut the computer down it wants to install the same six or seven windows updates. I tried running the Microsoft update fix but that didn't help either. Both I believe were related to a system restore I did a long time ago. The reason I wanted to check out this computer was I found 4 Trojans on one of our other computers and wanted to check this one to see if it was alright and when I tried to run Malwarebytes Anti Rootkit and TDSSKiller they would not run. I have run them on this computer before. So I was afraid something was wrong. So anyway here is the latest Combofix report: ComboFix 13-05-21.01 - Bryan 05/23/2013 19:28:38.4.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1459 [GMT -4:00]

Running from: k:\malware cleaners\ComboFix.exe

Command switches used :: k:\malware cleaners\CFScript.txt

AV: Trend Micro Titanium Internet Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}

.

FILE ::

"c:\windows\system32\drivers\29542028.sys"

"c:\windows\system32\drivers\60090679.sys"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\SET321.tmp

c:\windows\system32\SET325.tmp

c:\windows\system32\SET329.tmp

c:\windows\system32\SET32A.tmp

c:\windows\system32\SET32B.tmp

c:\windows\system32\SET32C.tmp

c:\windows\system32\SET32D.tmp

c:\windows\system32\SET32E.tmp

c:\windows\system32\SET32F.tmp

c:\windows\system32\SET3DE.tmp

c:\windows\system32\SET3E2.tmp

c:\windows\system32\SET3E6.tmp

c:\windows\system32\SET3E7.tmp

c:\windows\system32\SET3E8.tmp

c:\windows\system32\SET3E9.tmp

c:\windows\system32\SET3EA.tmp

c:\windows\system32\SET3EB.tmp

c:\windows\system32\SET3EC.tmp

.

.

((((((((((((((((((((((((( Files Created from 2013-04-23 to 2013-05-23 )))))))))))))))))))))))))))))))

.

.

2013-05-22 01:29 . 2013-05-22 07:01 -------- d-----w- c:\documents and settings\Admin

2013-05-21 10:37 . 2013-05-22 01:14 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2013-05-21 03:30 . 2013-05-21 03:35 30464 ----a-w- c:\windows\system32\drivers\hitmanpro37.sys

2013-05-21 03:29 . 2013-05-21 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro

2013-05-21 02:59 . 2013-05-21 02:59 -------- d-----w- C:\RegBackup

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-05-21 03:55 . 2011-12-31 14:06 181064 ----a-w- c:\windows\PSEXESVC.EXE

2013-04-21 13:25 . 2013-04-21 13:25 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-04-21 13:25 . 2012-01-01 00:38 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-04-16 22:17 . 2003-04-23 23:52 43520 ----a-w- c:\windows\system32\licmgr10.dll

2013-04-16 22:17 . 2003-04-23 23:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2013-04-12 23:28 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec

2013-04-10 01:31 . 2003-04-23 23:52 1876352 ----a-w- c:\windows\system32\win32k.sys

2013-04-04 18:50 . 2011-02-21 02:52 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-03-08 08:36 . 2003-04-23 23:52 293376 ----a-w- c:\windows\system32\winsrv.dll

2013-03-07 01:28 . 2003-04-23 23:52 2193408 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-03-07 00:50 . 2002-08-29 01:04 2070016 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-02-27 07:56 . 2003-04-23 23:59 2067456 ----a-w- c:\windows\system32\mstscax.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HP Officejet Pro 8600 (NET)"="c:\program files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe" [2011-09-09 1804648]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]

"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-10-08 1111568]

"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 116752]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-03-24 49208]

"Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2012-08-08 540056]

"iClean"="c:\program files\Aladdin Systems\iClean\iClean.exe" [2002-06-24 212992]

.

c:\documents and settings\Tina\Start Menu\Programs\Startup\

PerfectPrint.LNK - c:\corel\Office7\Shared\PFit7\PFPPOP70.EXE [2009-9-16 282624]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe"

"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\StickyNote\\StickyNote.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=

"c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"34447:TCP"= 34447:TCP:rFactor TCP

"34397:UDP"= 34397:UDP:rFactor UDP

"34297:UDP"= 34297:UDP:rFactor Query

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]

R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [6/6/2011 11:19 PM 353168]

R2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [1/29/2011 7:53 PM 188272]

R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [6/6/2011 11:20 PM 820568]

R2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [9/25/2009 7:42 PM 582992]

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [1/29/2011 7:55 PM 64080]

R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [9/25/2009 7:42 PM 206608]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S3 68966872;68966872;c:\windows\system32\drivers\12098590.sys --> c:\windows\system32\drivers\12098590.sys [?]

S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/25/2009 11:23 AM 18560]

S3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [9/5/2004 2:22 AM 95232]

S3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [8/14/2011 12:16 AM 30368]

S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [9/25/2009 7:42 PM 206608]

S3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [8/14/2011 12:16 AM 16080]

S4 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [8/14/2011 12:16 AM 239600]

.

Contents of the 'Scheduled Tasks' folder

.

2013-05-23 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-04-21 13:25]

.

2013-05-22 c:\windows\Tasks\At1.job

- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2011-09-09 19:53]

.

2013-05-23 c:\windows\Tasks\At2.job

- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2011-09-09 19:53]

.

2013-05-22 c:\windows\Tasks\At3.job

- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2011-09-09 19:53]

.

2013-05-22 c:\windows\Tasks\At4.job

- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2011-09-09 19:53]

.

2013-05-23 c:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2011-12-23 14:50]

.

2013-05-23 c:\windows\Tasks\User_Feed_Synchronization-{546E5C0B-F7CF-4D94-A5CD-51A8CCC1C5F4}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.charter.net/index.php?inc=1

uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/

Trusted Zone: microsoft.com

TCP: DhcpNameServer = 24.159.64.23 24.217.201.67 24.177.176.38

DPF: {20722C4E-9050-45C8-8D1A-816C4A06AD90} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_6/PhotoCenter_ActiveX_Control.cab

DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37390.cab

DPF: {CC1E9F72-AFBE-4C67-B6E1-AB992035E562} - hxxp://www.racelm.com/rlm/cfmturbo/cfm2005turboDMCrsnorun.CAB

FF - ProfilePath - c:\documents and settings\Bryan\Application Data\Mozilla\Firefox\Profiles\gawsskto.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.charter.net/index.php?inc=1

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Trend Micro NSC Firefox Extension: {22C7F6C6-8D67-4534-92B5-529A0EC09405} - c:\program files\Trend Micro\AMSP\Module\20004\1.5.1505\6.6.1088\firefoxextension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-05-23 19:39

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,e8,ba,63,04,e3,27,42,8d,04,b4,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,e8,ba,63,04,e3,27,42,8d,04,b4,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]

@DACL=(02 0000)

@="Microsoft Disk Quota"

"NoMachinePolicy"=dword:00000000

"NoUserPolicy"=dword:00000001

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"RequiresSuccessfulRegistry"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000000

"DllName"=expand:"dskquota.dll"

"ProcessGroupPolicy"="ProcessGroupPolicy"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]

@DACL=(02 0000)

@="Internet Explorer Zonemapping"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"

"NoGPOListChanges"=dword:00000001

"RequiresSucessfulRegistry"=dword:00000001

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]

@DACL=(02 0000)

@="Internet Explorer User Accelerators"

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"NoGPOListChanges"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"

"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"

"GenerateGroupPolicy"="SceGenerateGroupPolicy"

"ExtensionRsopPlanningDebugLevel"=dword:00000001

"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"

"ExtensionDebugLevel"=dword:00000001

"DllName"=expand:"scecli.dll"

@="Security"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000001

"MaxNoGPOListChangesInterval"=dword:000003c0

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]

@DACL=(02 0000)

"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"ProcessGroupPolicy"="ProcessGroupPolicy"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

@="Internet Explorer Branding"

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000001

"NoMachinePolicy"=dword:00000001

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"

"DllName"=expand:"scecli.dll"

@="EFS recovery"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]

@DACL=(02 0000)

@="802.3 Group Policy"

"DisplayName"=expand:"@dot3gpclnt.dll,-100"

"ProcessGroupPolicyEx"="ProcessLANPolicyEx"

"GenerateGroupPolicy"="GenerateLANPolicy"

"DllName"=expand:"dot3gpclnt.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]

@DACL=(02 0000)

@="Microsoft Offline Files"

"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"

"EnableAsynchronousProcessing"=dword:00000000

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000000

"NoMachinePolicy"=dword:00000000

"NoSlowLink"=dword:00000000

"NoUserPolicy"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"ProcessGroupPolicy"="ProcessGroupPolicy"

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]

@DACL=(02 0000)

@="Software Installation"

"DllName"=expand:"appmgmts.dll"

"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"NoBackgroundPolicy"=dword:00000000

"RequiresSucessfulRegistry"=dword:00000000

"NoSlowLink"=dword:00000001

"PerUserLocalSettings"=dword:00000001

"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]

@DACL=(02 0000)

@="Internet Explorer Machine Accelerators"

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"NoGPOListChanges"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"

"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

@DACL=(02 0000)

"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"

"Logon"="SABWINLOLogon"

"Logoff"="SABWINLOLogoff"

"Startup"="SABWINLOStartup"

"Shutdown"="SABWINLOShutdown"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"crypt32.dll"

"Logoff"="ChainWlxLogoffEvent"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"cryptnet.dll"

"Logoff"="CryptnetWlxLogoffEvent"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

@DACL=(02 0000)

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]

@DACL=(02 0000)

"Asynchronous"=dword:00000001

"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"

"Startup"="WlDimsStartup"

"Shutdown"="WlDimsShutdown"

"Logon"="WlDimsLogon"

"Logoff"="WlDimsLogoff"

"StartShell"="WlDimsStartShell"

"Lock"="WlDimsLock"

"Unlock"="WlDimsUnlock"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

@DACL=(02 0000)

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=expand:"sclgntfy.dll"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

@DACL=(02 0000)

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]

@DACL=(02 0000)

"HelpAssistant"=dword:00000000

"TsInternetUser"=dword:00000000

"SQLAgentCmdExec"=dword:00000000

"NetShowServices"=dword:00000000

"IWAM_"=dword:00010000

"IUSR_"=dword:00010000

"VUSR_"=dword:00010000

"ASPNET"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(1012)

c:\windows\system32\WININET.dll

c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Trend Micro\AMSP\coreFrameworkHost.exe

c:\progra~1\COMMON~1\AOL\ACS\acsd.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\progra~1\Iomega\System32\AppServices.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe

c:\windows\system32\HPZipm12.exe

c:\windows\System32\MsPMSPSv.exe

c:\program files\Iomega\AutoDisk\ADService.exe

c:\program files\Windows Media Player\WMPNetwk.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\program files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe

.

**************************************************************************

.

Completion time: 2013-05-23 19:47:01 - machine was rebooted

ComboFix-quarantined-files.txt 2013-05-23 23:46

ComboFix2.txt 2013-05-22 00:25

ComboFix3.txt 2013-05-21 02:48

ComboFix4.txt 2013-05-06 01:57

.

Pre-Run: 128,511,795,200 bytes free

Post-Run: 128,535,777,280 bytes free

.

- - End Of File - - D163211EC2525F945D7AD4441EBD5F65

Thanks again D-Fred-Brown

Link to post
Share on other sites

Are things running better? We have a little more fixing to do to clear up the last of things.

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

Driver::

68966872

File::

c:\windows\system32\drivers\12098590.sys

Reboot::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now

Link to post
Share on other sites

Here is the next report: ComboFix 13-05-21.01 - Bryan 05/23/2013 20:23:01.5.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1315 [GMT -4:00]

Running from: k:\malware cleaners\ComboFix.exe

Command switches used :: k:\malware cleaners\CFScript.txt

AV: Trend Micro Titanium Internet Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}

.

FILE ::

"c:\windows\system32\drivers\12098590.sys"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_68966872

.

.

((((((((((((((((((((((((( Files Created from 2013-04-24 to 2013-05-24 )))))))))))))))))))))))))))))))

.

.

2013-05-22 01:29 . 2013-05-22 07:01 -------- d-----w- c:\documents and settings\Admin

2013-05-21 10:37 . 2013-05-22 01:14 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2013-05-21 03:30 . 2013-05-21 03:35 30464 ----a-w- c:\windows\system32\drivers\hitmanpro37.sys

2013-05-21 03:29 . 2013-05-21 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro

2013-05-21 02:59 . 2013-05-21 02:59 -------- d-----w- C:\RegBackup

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-05-21 03:55 . 2011-12-31 14:06 181064 ----a-w- c:\windows\PSEXESVC.EXE

2013-04-21 13:25 . 2013-04-21 13:25 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-04-21 13:25 . 2012-01-01 00:38 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-04-16 22:17 . 2003-04-23 23:52 43520 ----a-w- c:\windows\system32\licmgr10.dll

2013-04-16 22:17 . 2003-04-23 23:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2013-04-12 23:28 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec

2013-04-10 01:31 . 2003-04-23 23:52 1876352 ----a-w- c:\windows\system32\win32k.sys

2013-04-04 18:50 . 2011-02-21 02:52 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-03-08 08:36 . 2003-04-23 23:52 293376 ----a-w- c:\windows\system32\winsrv.dll

2013-03-07 01:28 . 2003-04-23 23:52 2193408 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-03-07 00:50 . 2002-08-29 01:04 2070016 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-02-27 07:56 . 2003-04-23 23:59 2067456 ----a-w- c:\windows\system32\mstscax.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HP Officejet Pro 8600 (NET)"="c:\program files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe" [2011-09-09 1804648]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]

"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-10-08 1111568]

"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 116752]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-03-24 49208]

"Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2012-08-08 540056]

"iClean"="c:\program files\Aladdin Systems\iClean\iClean.exe" [2002-06-24 212992]

.

c:\documents and settings\Tina\Start Menu\Programs\Startup\

PerfectPrint.LNK - c:\corel\Office7\Shared\PFit7\PFPPOP70.EXE [2009-9-16 282624]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe"

"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\StickyNote\\StickyNote.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=

"c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"34447:TCP"= 34447:TCP:rFactor TCP

"34397:UDP"= 34397:UDP:rFactor UDP

"34297:UDP"= 34297:UDP:rFactor Query

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]

R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [6/6/2011 11:19 PM 353168]

R2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [1/29/2011 7:53 PM 188272]

R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [6/6/2011 11:20 PM 820568]

R2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [9/25/2009 7:42 PM 582992]

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [1/29/2011 7:55 PM 64080]

R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [9/25/2009 7:42 PM 206608]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/25/2009 11:23 AM 18560]

S3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [9/5/2004 2:22 AM 95232]

S3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [8/14/2011 12:16 AM 30368]

S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [9/25/2009 7:42 PM 206608]

S3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [8/14/2011 12:16 AM 16080]

S4 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [8/14/2011 12:16 AM 239600]

.

Contents of the 'Scheduled Tasks' folder

.

2013-05-23 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-04-21 13:25]

.

2013-05-22 c:\windows\Tasks\At1.job

- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2011-09-09 19:53]

.

2013-05-23 c:\windows\Tasks\At2.job

- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2011-09-09 19:53]

.

2013-05-22 c:\windows\Tasks\At3.job

- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2011-09-09 19:53]

.

2013-05-22 c:\windows\Tasks\At4.job

- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2011-09-09 19:53]

.

2013-05-24 c:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2011-12-23 14:50]

.

2013-05-24 c:\windows\Tasks\User_Feed_Synchronization-{546E5C0B-F7CF-4D94-A5CD-51A8CCC1C5F4}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.charter.net/index.php?inc=1

uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/

Trusted Zone: microsoft.com

TCP: DhcpNameServer = 24.159.64.23 24.217.201.67 24.177.176.38

DPF: {20722C4E-9050-45C8-8D1A-816C4A06AD90} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_6/PhotoCenter_ActiveX_Control.cab

DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37390.cab

DPF: {CC1E9F72-AFBE-4C67-B6E1-AB992035E562} - hxxp://www.racelm.com/rlm/cfmturbo/cfm2005turboDMCrsnorun.CAB

FF - ProfilePath - c:\documents and settings\Bryan\Application Data\Mozilla\Firefox\Profiles\gawsskto.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.charter.net/index.php?inc=1

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Trend Micro NSC Firefox Extension: {22C7F6C6-8D67-4534-92B5-529A0EC09405} - c:\program files\Trend Micro\AMSP\Module\20004\1.5.1505\6.6.1088\firefoxextension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-05-23 20:32

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,e8,ba,63,04,e3,27,42,8d,04,b4,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,e8,ba,63,04,e3,27,42,8d,04,b4,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]

@DACL=(02 0000)

@="Microsoft Disk Quota"

"NoMachinePolicy"=dword:00000000

"NoUserPolicy"=dword:00000001

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"RequiresSuccessfulRegistry"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000000

"DllName"=expand:"dskquota.dll"

"ProcessGroupPolicy"="ProcessGroupPolicy"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]

@DACL=(02 0000)

@="Internet Explorer Zonemapping"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"

"NoGPOListChanges"=dword:00000001

"RequiresSucessfulRegistry"=dword:00000001

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]

@DACL=(02 0000)

@="Internet Explorer User Accelerators"

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"NoGPOListChanges"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"

"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"

"GenerateGroupPolicy"="SceGenerateGroupPolicy"

"ExtensionRsopPlanningDebugLevel"=dword:00000001

"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"

"ExtensionDebugLevel"=dword:00000001

"DllName"=expand:"scecli.dll"

@="Security"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000001

"MaxNoGPOListChangesInterval"=dword:000003c0

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]

@DACL=(02 0000)

"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"ProcessGroupPolicy"="ProcessGroupPolicy"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

@="Internet Explorer Branding"

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000001

"NoMachinePolicy"=dword:00000001

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"

"DllName"=expand:"scecli.dll"

@="EFS recovery"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]

@DACL=(02 0000)

@="802.3 Group Policy"

"DisplayName"=expand:"@dot3gpclnt.dll,-100"

"ProcessGroupPolicyEx"="ProcessLANPolicyEx"

"GenerateGroupPolicy"="GenerateLANPolicy"

"DllName"=expand:"dot3gpclnt.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]

@DACL=(02 0000)

@="Microsoft Offline Files"

"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"

"EnableAsynchronousProcessing"=dword:00000000

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000000

"NoMachinePolicy"=dword:00000000

"NoSlowLink"=dword:00000000

"NoUserPolicy"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"ProcessGroupPolicy"="ProcessGroupPolicy"

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]

@DACL=(02 0000)

@="Software Installation"

"DllName"=expand:"appmgmts.dll"

"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"NoBackgroundPolicy"=dword:00000000

"RequiresSucessfulRegistry"=dword:00000000

"NoSlowLink"=dword:00000001

"PerUserLocalSettings"=dword:00000001

"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]

@DACL=(02 0000)

@="Internet Explorer Machine Accelerators"

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"NoGPOListChanges"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"

"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

@DACL=(02 0000)

"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"

"Logon"="SABWINLOLogon"

"Logoff"="SABWINLOLogoff"

"Startup"="SABWINLOStartup"

"Shutdown"="SABWINLOShutdown"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"crypt32.dll"

"Logoff"="ChainWlxLogoffEvent"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"cryptnet.dll"

"Logoff"="CryptnetWlxLogoffEvent"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

@DACL=(02 0000)

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]

@DACL=(02 0000)

"Asynchronous"=dword:00000001

"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"

"Startup"="WlDimsStartup"

"Shutdown"="WlDimsShutdown"

"Logon"="WlDimsLogon"

"Logoff"="WlDimsLogoff"

"StartShell"="WlDimsStartShell"

"Lock"="WlDimsLock"

"Unlock"="WlDimsUnlock"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

@DACL=(02 0000)

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=expand:"sclgntfy.dll"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

@DACL=(02 0000)

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]

@DACL=(02 0000)

"HelpAssistant"=dword:00000000

"TsInternetUser"=dword:00000000

"SQLAgentCmdExec"=dword:00000000

"NetShowServices"=dword:00000000

"IWAM_"=dword:00010000

"IUSR_"=dword:00010000

"VUSR_"=dword:00010000

"ASPNET"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(392)

c:\windows\system32\WININET.dll

c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Trend Micro\AMSP\coreFrameworkHost.exe

c:\progra~1\COMMON~1\AOL\ACS\acsd.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\progra~1\Iomega\System32\AppServices.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe

c:\windows\system32\HPZipm12.exe

c:\windows\System32\MsPMSPSv.exe

c:\program files\Iomega\AutoDisk\ADService.exe

c:\program files\Windows Media Player\WMPNetwk.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\program files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe

.

**************************************************************************

.

Completion time: 2013-05-23 20:40:43 - machine was rebooted

ComboFix-quarantined-files.txt 2013-05-24 00:40

ComboFix2.txt 2013-05-23 23:47

ComboFix3.txt 2013-05-22 00:25

ComboFix4.txt 2013-05-21 02:48

ComboFix5.txt 2013-05-24 00:21

.

Pre-Run: 128,540,209,152 bytes free

Post-Run: 127,999,442,944 bytes free

.

- - End Of File - - 22573E643BCC3E46D0162E88B424E0CD

Link to post
Share on other sites

Lookng good. Are things appearing to run better?

Let's check for any leftovers we may have missed earlier:

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats is Unchecked and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Link to post
Share on other sites

Here are the logs from the eScan

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=8

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6920

# api_version=3.0.2

# EOSSerial=1b998a529df11545be4d13dbe4b35cea

# engine=13899

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2013-05-24 06:30:21

# local_time=2013-05-24 02:30:21 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# scanned=138059

# found=4

# cleaned=0

# scan_time=14742

sh=2DC37F312ADAE9CD8DE5D0369F8883DB52E1BC9B ft=1 fh=01ed0f1ad7e8db37 vn="a variant of Win32/Bundled.Toolbar.Ask application" ac=I fn="C:\Documents and Settings\All Users\Documents\gusetup.exe"

sh=2DC37F312ADAE9CD8DE5D0369F8883DB52E1BC9B ft=1 fh=01ed0f1ad7e8db37 vn="a variant of Win32/Bundled.Toolbar.Ask application" ac=I fn="C:\Documents and Settings\All Users\Documents\utility.exe"

sh=E32AA2E78D2C8F0E9316080E71A714BEFE851E6C ft=1 fh=374915f71a49693e vn="a variant of Win32/Bundled.Toolbar.Ask application" ac=I fn="C:\Program Files\Glary Utilities\ApnIC.dll"

sh=FC1DD1D45CD4E293EF8ED7C2B3709ECB9E04442B ft=1 fh=364b28d8dff84f34 vn="a variant of Win32/Bundled.Toolbar.Ask application" ac=I fn="C:\Program Files\Glary Utilities\ApnToolbarInstaller.exe"

Thanks again D-Fred-Brown for hanging with me on this. I really appreciate it!

Link to post
Share on other sites

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

File::

C:\Documents and Settings\All Users\Documents\gusetup.exe

C:\Documents and Settings\All Users\Documents\utility.exe

C:\Program Files\Glary Utilities\ApnIC.dll

C:\Program Files\Glary Utilities\ApnToolbarInstaller.exe

Reboot::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now

Link to post
Share on other sites

Here you go D-Fred-Brown,

Are we getting close?

ComboFix 13-05-21.01 - Bryan 05/24/2013 22:17:41.6.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1277 [GMT -4:00]

Running from: k:\malware cleaners\ComboFix.exe

Command switches used :: k:\malware cleaners\CFScript.txt

AV: Trend Micro Titanium Internet Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}

.

FILE ::

"c:\documents and settings\All Users\Documents\gusetup.exe"

"c:\documents and settings\All Users\Documents\utility.exe"

"c:\program files\Glary Utilities\ApnIC.dll"

"c:\program files\Glary Utilities\ApnToolbarInstaller.exe"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\SET41D8.tmp

c:\windows\system32\SET41DC.tmp

c:\windows\system32\SET41E0.tmp

c:\windows\system32\SET41E1.tmp

c:\windows\system32\SET41E2.tmp

c:\windows\system32\SET41E3.tmp

c:\windows\system32\SET41E4.tmp

c:\windows\system32\SET41E5.tmp

c:\windows\system32\SET41E6.tmp

.

.

((((((((((((((((((((((((( Files Created from 2013-04-25 to 2013-05-25 )))))))))))))))))))))))))))))))

.

.

2013-05-24 02:18 . 2013-05-24 02:18 -------- d-----w- c:\program files\ESET

2013-05-22 01:29 . 2013-05-22 07:01 -------- d-----w- c:\documents and settings\Admin

2013-05-21 10:37 . 2013-05-22 01:14 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2013-05-21 03:30 . 2013-05-21 03:35 30464 ----a-w- c:\windows\system32\drivers\hitmanpro37.sys

2013-05-21 03:29 . 2013-05-21 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro

2013-05-21 02:59 . 2013-05-21 02:59 -------- d-----w- C:\RegBackup

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-05-21 03:55 . 2011-12-31 14:06 181064 ----a-w- c:\windows\PSEXESVC.EXE

2013-04-21 13:25 . 2013-04-21 13:25 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-04-21 13:25 . 2012-01-01 00:38 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-04-16 22:17 . 2003-04-23 23:52 43520 ----a-w- c:\windows\system32\licmgr10.dll

2013-04-16 22:17 . 2003-04-23 23:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2013-04-12 23:28 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec

2013-04-10 01:31 . 2003-04-23 23:52 1876352 ----a-w- c:\windows\system32\win32k.sys

2013-04-04 18:50 . 2011-02-21 02:52 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-03-08 08:36 . 2003-04-23 23:52 293376 ----a-w- c:\windows\system32\winsrv.dll

2013-03-07 01:28 . 2003-04-23 23:52 2193408 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-03-07 00:50 . 2002-08-29 01:04 2070016 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-02-27 07:56 . 2003-04-23 23:59 2067456 ----a-w- c:\windows\system32\mstscax.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HP Officejet Pro 8600 (NET)"="c:\program files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe" [2011-09-09 1804648]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]

"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-10-08 1111568]

"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 116752]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-03-24 49208]

"Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2012-08-08 540056]

"iClean"="c:\program files\Aladdin Systems\iClean\iClean.exe" [2002-06-24 212992]

.

c:\documents and settings\Tina\Start Menu\Programs\Startup\

PerfectPrint.LNK - c:\corel\Office7\Shared\PFit7\PFPPOP70.EXE [2009-9-16 282624]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe"

"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\StickyNote\\StickyNote.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=

"c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"34447:TCP"= 34447:TCP:rFactor TCP

"34397:UDP"= 34397:UDP:rFactor UDP

"34297:UDP"= 34297:UDP:rFactor Query

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]

R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [6/6/2011 11:19 PM 353168]

R2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [1/29/2011 7:53 PM 188272]

R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [6/6/2011 11:20 PM 820568]

R2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [9/25/2009 7:42 PM 582992]

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [1/29/2011 7:55 PM 64080]

R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [9/25/2009 7:42 PM 206608]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/25/2009 11:23 AM 18560]

S3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [9/5/2004 2:22 AM 95232]

S3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [8/14/2011 12:16 AM 30368]

S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [9/25/2009 7:42 PM 206608]

S3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [8/14/2011 12:16 AM 16080]

S4 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [8/14/2011 12:16 AM 239600]

.

Contents of the 'Scheduled Tasks' folder

.

2013-05-25 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-04-21 13:25]

.

2013-05-24 c:\windows\Tasks\At1.job

- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2011-09-09 19:53]

.

2013-05-25 c:\windows\Tasks\At2.job

- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2011-09-09 19:53]

.

2013-05-24 c:\windows\Tasks\At3.job

- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2011-09-09 19:53]

.

2013-05-24 c:\windows\Tasks\At4.job

- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2011-09-09 19:53]

.

2013-05-25 c:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2011-12-23 14:50]

.

2013-05-25 c:\windows\Tasks\User_Feed_Synchronization-{546E5C0B-F7CF-4D94-A5CD-51A8CCC1C5F4}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.charter.net/index.php?inc=1

uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/

Trusted Zone: microsoft.com

DPF: {20722C4E-9050-45C8-8D1A-816C4A06AD90} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_6/PhotoCenter_ActiveX_Control.cab

DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37390.cab

DPF: {CC1E9F72-AFBE-4C67-B6E1-AB992035E562} - hxxp://www.racelm.com/rlm/cfmturbo/cfm2005turboDMCrsnorun.CAB

FF - ProfilePath - c:\documents and settings\Bryan\Application Data\Mozilla\Firefox\Profiles\gawsskto.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.charter.net/index.php?inc=1

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Trend Micro NSC Firefox Extension: {22C7F6C6-8D67-4534-92B5-529A0EC09405} - c:\program files\Trend Micro\AMSP\Module\20004\1.5.1505\6.6.1088\firefoxextension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-05-24 22:27

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,e8,ba,63,04,e3,27,42,8d,04,b4,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,e8,ba,63,04,e3,27,42,8d,04,b4,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]

@DACL=(02 0000)

@="Microsoft Disk Quota"

"NoMachinePolicy"=dword:00000000

"NoUserPolicy"=dword:00000001

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"RequiresSuccessfulRegistry"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000000

"DllName"=expand:"dskquota.dll"

"ProcessGroupPolicy"="ProcessGroupPolicy"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]

@DACL=(02 0000)

@="Internet Explorer Zonemapping"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"

"NoGPOListChanges"=dword:00000001

"RequiresSucessfulRegistry"=dword:00000001

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]

@DACL=(02 0000)

@="Internet Explorer User Accelerators"

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"NoGPOListChanges"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"

"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"

"GenerateGroupPolicy"="SceGenerateGroupPolicy"

"ExtensionRsopPlanningDebugLevel"=dword:00000001

"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"

"ExtensionDebugLevel"=dword:00000001

"DllName"=expand:"scecli.dll"

@="Security"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000001

"MaxNoGPOListChangesInterval"=dword:000003c0

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]

@DACL=(02 0000)

"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"ProcessGroupPolicy"="ProcessGroupPolicy"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

@="Internet Explorer Branding"

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000001

"NoMachinePolicy"=dword:00000001

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"

"DllName"=expand:"scecli.dll"

@="EFS recovery"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]

@DACL=(02 0000)

@="802.3 Group Policy"

"DisplayName"=expand:"@dot3gpclnt.dll,-100"

"ProcessGroupPolicyEx"="ProcessLANPolicyEx"

"GenerateGroupPolicy"="GenerateLANPolicy"

"DllName"=expand:"dot3gpclnt.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]

@DACL=(02 0000)

@="Microsoft Offline Files"

"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"

"EnableAsynchronousProcessing"=dword:00000000

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000000

"NoMachinePolicy"=dword:00000000

"NoSlowLink"=dword:00000000

"NoUserPolicy"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"ProcessGroupPolicy"="ProcessGroupPolicy"

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]

@DACL=(02 0000)

@="Software Installation"

"DllName"=expand:"appmgmts.dll"

"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"NoBackgroundPolicy"=dword:00000000

"RequiresSucessfulRegistry"=dword:00000000

"NoSlowLink"=dword:00000001

"PerUserLocalSettings"=dword:00000001

"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]

@DACL=(02 0000)

@="Internet Explorer Machine Accelerators"

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"NoGPOListChanges"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"

"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

@DACL=(02 0000)

"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"

"Logon"="SABWINLOLogon"

"Logoff"="SABWINLOLogoff"

"Startup"="SABWINLOStartup"

"Shutdown"="SABWINLOShutdown"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"crypt32.dll"

"Logoff"="ChainWlxLogoffEvent"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"cryptnet.dll"

"Logoff"="CryptnetWlxLogoffEvent"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

@DACL=(02 0000)

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]

@DACL=(02 0000)

"Asynchronous"=dword:00000001

"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"

"Startup"="WlDimsStartup"

"Shutdown"="WlDimsShutdown"

"Logon"="WlDimsLogon"

"Logoff"="WlDimsLogoff"

"StartShell"="WlDimsStartShell"

"Lock"="WlDimsLock"

"Unlock"="WlDimsUnlock"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

@DACL=(02 0000)

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=expand:"sclgntfy.dll"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

@DACL=(02 0000)

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]

@DACL=(02 0000)

"HelpAssistant"=dword:00000000

"TsInternetUser"=dword:00000000

"SQLAgentCmdExec"=dword:00000000

"NetShowServices"=dword:00000000

"IWAM_"=dword:00010000

"IUSR_"=dword:00010000

"VUSR_"=dword:00010000

"ASPNET"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(2920)

c:\windows\system32\WININET.dll

c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Trend Micro\AMSP\coreFrameworkHost.exe

c:\progra~1\COMMON~1\AOL\ACS\acsd.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\progra~1\Iomega\System32\AppServices.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe

c:\windows\system32\HPZipm12.exe

c:\windows\System32\MsPMSPSv.exe

c:\program files\Iomega\AutoDisk\ADService.exe

c:\program files\Windows Media Player\WMPNetwk.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\program files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe

.

**************************************************************************

.

Completion time: 2013-05-24 22:35:36 - machine was rebooted

ComboFix-quarantined-files.txt 2013-05-25 02:35

ComboFix2.txt 2013-05-23 23:47

ComboFix3.txt 2013-05-22 00:25

ComboFix4.txt 2013-05-21 02:48

ComboFix5.txt 2013-05-24 00:21

.

Pre-Run: 127,628,328,960 bytes free

Post-Run: 127,728,058,368 bytes free

.

- - End Of File - - FE3BE80C138CC72B11F3E88FE288A6EA

Link to post
Share on other sites

Here you go D-Fred-Brown,

Are we getting close?

Yup. :)

Your computer appears to be clean.

Please take the time to install the following updates. Program updates are an important way to prevent malware from getting on your system, as outdated programs leave you vulnerable.

-----------

Upgrade Java : (32 bits)

  • Download the latest version of Java SE Runtime Environment (JRE) JRE 7 Update 3 .
  • Under the JAVA Platform Standard Edition, click the "Download JRE" button to the right.
  • Accept License Agreement.".
  • Click on the link to download Windows Offline Installation 32 bit ( jre-7u3-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista or Win 7 users, right click on the jre-7u3-windows-i586.exe and select "Run as an Administrator.")

-----------

Your version of Adobe Flash is out of date.

Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

Please follow these steps to update Adobe flash:

  1. Please download the latest version of Adobe Flash from http://get.adobe.com.../otherversions/ to your Desktop
  2. Double click the file to start the installation process
  3. Repeat 1. and 2. for every other browser you have installed (eg Internet Explorer / Firefox / Chrome / Safari / Opera..) as applicable.

-----------

Your version of Firefox is out of date.

Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

Please follow these steps to update Firefox:

Link to post
Share on other sites

Thank you so much for all your time and trouble. I would like to have the one that I found the 4 trojans on checked out to make sure TDSSKiller and Malwarebytes Anti Rootkit did a good job on it. Would you have time to look at it some time or do I need to post and wait for another tech to take a look at it. I don't won't to jump line so to speak. I am more than willing to wait my turn. And again I thank you for all your time and trouble.

N. Bryan McConnell

Link to post
Share on other sites

As soon as the eScan finished the other night I disconnected it from the internet again just to be on the safe side. I've been busy with dad being in the hospital. I plan on getting the updates done hopefully this evening.I will let you know how it goes.

Link to post
Share on other sites

<p>Sorry I'm late getting back to you D-Fred-Brown, up all night at the hospital with dad again good news is he is doing better. Anyway I finally got around to running the needed updates. I'm still having an issue with Windows Update I have about 5 or 6 updates that continue to fail. As soon as I get that problem resolved I should be good to go.</p>

<p> </p>

<p>here is the latest Security Check if it helps:</p>

<p> </p>

<div> Results of screen317's Security Check version 0.99.64  </div>

<div> Windows XP Service Pack 3 x86   </div>

<div> Internet Explorer 8  </div>

<div>``````````````Antivirus/Firewall Check:`````````````` </div>

<div> Windows Firewall Enabled!  </div>

<div> ESET Online Scanner v3   </div>

<div> Trend Micro RUBotted    </div>

<div> Trend Micro™ Titanium™ Internet Security  </div>

<div>`````````Anti-malware/Other Utilities Check:````````` </div>

<div> Ad-Aware </div>

<div> Out of date HijackThis  installed! </div>

<div> Spybot - Search & Destroy </div>

<div> SUPERAntiSpyware     </div>

<div> Malwarebytes Anti-Malware version 1.75.0.1300  </div>

<div> HijackThis 2.0.2    </div>

<div> CCleaner     </div>

<div> Java 6 Update 22  </div>

<div> Java 7 Update 21  </div>

<div> Adobe Reader 7  </div>

<div>````````Process Check: objlist.exe by Laurent````````  </div>

<div> Ad-Aware AAWService.exe is disabled! </div>

<div> Ad-Aware AAWTray.exe is disabled! </div>

<div> IObit IObit Malware Fighter IMFsrv.exe  </div>

<div> Trend Micro AMSP coreServiceShell.exe  </div>

<div> Trend Micro UniClient UiFrmWrk uiWatchDog.exe </div>

<div> Trend Micro AMSP coreFrameworkHost.exe  </div>

<div> Trend Micro RUBotted TMRUBotted.exe  </div>

<div> Trend Micro UniClient UiFrmWrk uiSeAgnt.exe </div>

<div>`````````````````System Health check````````````````` </div>

<div> Total Fragmentation on Drive C:: 8% </div>

<div>````````````````````End of Log`````````````````````` </div>

<div> </div>

Link to post
Share on other sites

I've tried that the Microsoft fixit for Windows Update and it doesn't fix the problem. I think I am going to have to manually uninstall and reinstall the updates, and probably remove the references to them from the registry so Windows will reinstall them.

Link to post
Share on other sites

Thanks D-Fred-Brown, you have been a big help. I will have to do some research before I attempt the uninstall and re-install but I will let you know how it goes. I hope to be able to be ready to start tomorrow evening after work.

Thanks again you have been a big help.

Bryan

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.