Jump to content


Photo
- - - - -

Suspicious Behavior


  • This topic is locked This topic is locked
25 replies to this topic

#1 zoot56

zoot56

    Regular Member

  • Honorary Members
  • PipPip
  • 75 posts

Posted 11 April 2013 - 01:22 PM

I appreciate any help you can give. I'm not sure what is going on. I think I may be infected with something. I keep getting a repeating error window that pops up that looks like this:


GoogleEarth-Win-Bundle-7.0.3.8542:error
7-Zip: Internal error, code 105.


And my firewall also keeps popping up with a repeating suspicious behavior message that says:

Setup Launcher Unicode is trying to launch C:\WINDOWS\system32\msiexec.exe, or use another program to gain access to privileged resources


I keep telling it to "deny" but it keeps coming back.


My Malwarebytes has been updated but it is not detecting anything. Here is the latest scan:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.04.11.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Robert :: METATRON [administrator]

4/11/2013 10:05:40 AM
mbam-log-2013-04-11 (10-05-40).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 259154
Time elapsed: 14 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



Here is the DDS:


DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.17.2
Run by Robert at 11:03:42 on 2013-04-11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.1802 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: ZoneAlarm Free Firewall Firewall *Enabled*
.
============== Running Processes ================
.
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Google\Update\Install\{A5AE69A3-4216-49D7-BBB7-66C63692B377}\GoogleEarth-Win-Bundle-7.0.3.8542.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: SecureBrowsing bho: {7632ABCA-B104-4fbc-9C70-419C4147061B} - c:\program files\m86security secure browsing\SecureBrowsing.dll
BHO: ZoneAlarm Security Engine Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: M86 Security Secure Browsing: {B99F805C-F0B1-48EA-8C8B-753BFCBED913} - c:\program files\m86security secure browsing\SecureBrowsing.dll
TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Facebook Update] "c:\documents and settings\robert\local settings\application data\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Garmin Lifetime Updater] c:\program files\garmin\lifetime updater\GarminLifetime.exe /StartMinimized
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/w...&"ver=10.0.1204
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242920910640
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1340742957406
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{EE2BC3A9-D089-42F2-B524-90E2D651376E} : DHCPNameServer = 192.168.0.1
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\robert\application data\mozilla\firefox\profiles\ige9lf9l.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.zonealarm.com/search?Source=Browser&oemCode=ZLN112936925632837-1600&toolbarId=base&affiliateId=1600&Lan=en&utid=941db9ba00000000000000248c444d7d&q={searchTerms}
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\robert\local settings\application data\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_6_602_180.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.zonealarm.rvrtMsg - Click Yes to keep current home page and default search settings, Click No to restore original settings
FF - user.js: extensions.zonealarm.hpOld - hxxp://search.zonealarm.com/?Source=Homepage&oemCode=ZLN112487423416078-1600&toolbarId=base&affiliateId=1600&Lan=en&utid=941db9ba00000000000000248c444d7d
FF - user.js: extensions.zonealarm.hpNew - hxxp://search.zonealarm.com/?Source=Homepage&oemCode=ZLN112487423416078-1600&toolbarId=base&affiliateId=1025&Lan=en&utid=941db9ba00000000000000248c444d7d
FF - user.js: extensions.zonealarm.dspOld - Search By ZoneAlarm
FF - user.js: extensions.zonealarm.dspNew - Search By ZoneAlarm
FF - user.js: extensions.zonealarm.autoRvrt - false
FF - user.js: extensions.zonealarm_i.hmpg - true
FF - user.js: extensions.zonealarm_i.hmpgUrl - hxxp://search.zonealarm.com/?Source=Homepage&oemCode=ZLN112936925632837-1600&toolbarId=base&affiliateId=1600&Lan=en&utid=941db9ba00000000000000248c444d7d
FF - user.js: extensions.zonealarm_i.dfltSrch - true
FF - user.js: extensions.zonealarm.srchPrvdr - Search By ZoneAlarm
FF - user.js: extensions.zonealarm.keyWordUrl - hxxp://search.zonealarm.com/search?Source=Browser&oemCode=ZLN112936925632837-1600&toolbarId=base&affiliateId=1600&Lan=en&utid=941db9ba00000000000000248c444d7d&q={searchTerms}
FF - user.js: extensions.zonealarm_i.dnsErr - true
FF - user.js: extensions.zonealarm_i.newTab - true
FF - user.js: extensions.zonealarm.newTabUrl - hxxp://search.zonealarm.com/?Source=Newtab&oemCode=ZLN112936925632837-1600&toolbarId=base&affiliateId=1600&Lan=en&utid=941db9ba00000000000000248c444d7d
FF - user.js: extensions.zonealarm.tlbrSrchUrl - hxxp://search.zonealarm.com/search?Source=ToolBar&oemCode=ZLN112936925632837-1600&toolbarId=base&affiliateId=1600&Lan=en&utid=941db9ba00000000000000248c444d7d&q=
FF - user.js: extensions.zonealarm.id - 941db9ba00000000000000248c444d7d
FF - user.js: extensions.zonealarm.instlDay - 15469
FF - user.js: extensions.zonealarm.vrsn - 1.5.20.3
FF - user.js: extensions.zonealarm.vrsni - 1.5.20.3
FF - user.js: extensions.zonealarm_i.vrsnTs - 1.5.20.38:00:02
FF - user.js: extensions.zonealarm.prtnrId - checkpoint
FF - user.js: extensions.zonealarm.prdct - zonealarm
FF - user.js: extensions.zonealarm.aflt - 1600
FF - user.js: extensions.zonealarm_i.smplGrp - none
FF - user.js: extensions.zonealarm.tlbrId - base
FF - user.js: extensions.zonealarm.instlRef - ZLN112936925632837-1600
FF - user.js: extensions.zonealarm.dfltLng - en
FF - user.js: extensions.zonealarm.excTlbr - false
FF - user.js: extensions.zonealarm.admin - false
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 195296]
R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2012-11-7 527408]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2012-4-30 27056]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2012-4-30 497320]
R2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe -service --> c:\program files\checkpoint\zonealarm\vsmon.exe -service [?]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 RasMan32;Remote Access Connection Manager ;c:\windows\system32\mscories32.exe --> c:\windows\system32\mscories32.exe [?]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-3-29 24064]
.
=============== Created Last 30 ================
.
2013-04-11 03:34:27 7108640 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9c8848e1-bd45-47b5-95c1-013be969aa3c}\mpengine.dll
2013-04-10 02:49:49 7108640 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-03-21 18:21:29 12928 -c----w- c:\windows\system32\dllcache\usb8023x.sys
2013-03-18 05:19:15 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-03-18 05:19:10 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
.
==================== Find3M ====================
.
2013-04-04 21:50:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-02 10:33:22 237088 ------w- c:\windows\system32\MpSigStub.exe
2013-03-18 05:18:57 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-03-18 05:18:57 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-13 09:28:30 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-13 09:28:30 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-08 08:36:22 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:32:25 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50:30 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-02 02:06:31 916480 ----a-w- c:\windows\system32\wininet.dll
2013-03-02 02:06:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-03-02 02:06:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-03-02 01:25:02 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-03-02 01:08:47 385024 ----a-w- c:\windows\system32\html.iec
2013-02-27 07:56:51 2067456 ----a-w- c:\windows\system32\mstscax.dll
2013-02-12 00:32:23 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-01-26 03:55:44 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-20 23:59:04 195296 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-01-16 06:19:19 1074560 ----a-w- c:\windows\system32\nvdrsdb0.bin
2013-01-16 06:19:19 1 ----a-w- c:\windows\system32\nvdrssel.bin
2013-01-16 06:19:15 1074560 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-09-01 23:33:49 83968 ----a-w- c:\program files\remover.exe
.
============= FINISH: 11:04:33.39 ===============



Here is the Attach:


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 5/20/2009 3:59:49 PM
System Uptime: 4/9/2013 8:22:33 PM (39 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | M3N72-D
Processor: AMD Phenom™ 9650 Quad-Core Processor | Socket AM2 | 2299/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 466 GiB total, 203.374 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.6)
Age of Empires III
Age of Empires III - The Asian Dynasties
Age of Empires III - The WarChiefs
AiO_Scan_CDA
AiOSoftwareNPI
Amazon Kindle
AMD Processor Driver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Army Builder 3.3b
Bonjour
BufferChm
Citrix XenApp Web Plugin
Compatibility Pack for the 2007 Office system
Coupon Printer for Windows
Destinations
DeviceManagementQFolder
DocProc
DocProcQFolder
DVD Suite
ESET Online Scanner v3
eSupportQFolder
EverQuest
F300
F300_Help
Facebook Video Calling 1.2.0.287
Fax_CDA
Garmin Communicator Plugin
Garmin Lifetime Updater
Garmin USB Drivers
Google Earth
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB2779562)
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart, Officejet and Deskjet 7.0.A
HP Solution Center 7.0
HPPhotoSmartExpress
HPProductAssistant
Image Plugin
InstantShareDevicesMFC
iTunes
Java 7 Update 17
Java Auto Updater
JavaFX 2.1.1
M86Security Secure Browsing
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2742597)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office File Validation Add-In
Microsoft Office Publisher 2003
Microsoft Office Standard Edition 2003
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Windows Media Video 9 VCM
Microsoft WSE 3.0 Runtime
MobileMe Control Panel
Mozilla Firefox 19.0.2 (x86 en-US)
Mozilla Maintenance Service
MSN
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 7 Essentials
neroxml
Network Magic
NewCopy_CDA
NVIDIA Control Panel 310.90
NVIDIA Drivers
NVIDIA Graphics Driver 310.90
NVIDIA HD Audio Driver 1.3.18.0
NVIDIA Install Application
NVIDIA nView 136.53
NVIDIA nView Desktop Manager
NVIDIA PhysX
NVIDIA PhysX System Software 9.12.1031
NVIDIA Update 1.11.3
NVIDIA Update Components
OCR Software by I.R.I.S 7.0
Picasa 3
PowerDVD
PowerISO
ProductContextNPI
Pure Networks Platform
QuickTime
Readme
Realtek High Definition Audio Driver
RIFT
Safari
Scan
ScannerCopy
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB2792100)
Security Update for Windows Internet Explorer 8 (KB2797052)
Security Update for Windows Internet Explorer 8 (KB2799329)
Security Update for Windows Internet Explorer 8 (KB2809289)
Security Update for Windows Internet Explorer 8 (KB2817183)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2753842)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2778344)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2799494)
Security Update for Windows XP (KB2802968)
Security Update for Windows XP (KB2807986)
Security Update for Windows XP (KB2808735)
Security Update for Windows XP (KB2813170)
Security Update for Windows XP (KB2813345)
Security Update for Windows XP (KB2820917)
Sid Meier's Civilization 4
Sid Meier's Civilization 4 - Beyond the Sword
Sid Meier's Civilization 4 - Warlords
SimCity 4 Deluxe
SolutionCenter
Spelling Dictionaries Support For Adobe Reader 9
Status
The Sims 2
The Sims™ 3
Toolbox
TrayApp
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Windows Internet Explorer 8 (KB2632503)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2492386)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB971029)
VC 9.0 Runtime
Ventrilo Client
Ventrilo Server
VLC media player 1.0.5
Warcraft III
Warhammer Online - Age of Reckoning
WebFldrs XP
WebReg
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver
World of Warcraft
Xfire (remove only)
Yahoo! Detect
ZoneAlarm Firewall
ZoneAlarm Free Firewall
ZoneAlarm LTD Toolbar
ZoneAlarm Security
.
==== End Of File ===========================



Thank you for your help!

#2 Tomk1

Tomk1

    Advanced Member

  • Trusted Advisors
  • PipPipPip
  • 214 posts
  • Gender:Male

Posted 11 April 2013 - 01:30 PM

Hi zoot56,

Welcome to Malwarebytes Forum

My name is Tomk1. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.
Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, feel free to create a new one.

Let's do a couple of things:

AdwCleaner
  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
Then
  • Download RogueKiller and save it to your desktop.
  • Quit all other programs
  • Start RogueKiller.exe
  • Wait until the Prescan has finished ...
  • Click on Scan
    Posted Image
  • Wait for the end of the scan
  • A report will be created on your desktop.
  • Click on the Delete button
    Posted Image
  • Next click on the ShortcutsFix
    Posted Image
  • another report will be created on your desktop.
Please post: All RKreport.txt text files located on your desktop.
Posted Image

#3 zoot56

zoot56

    Regular Member

  • Honorary Members
  • PipPip
  • 75 posts

Posted 11 April 2013 - 03:08 PM

In addition to these reports, roguekiller made two files on my desktop called "RK_Quarentine" and ".picasaoriginals". What do I do with those?

# AdwCleaner v2.200 - Logfile created 04/11/2013 at 12:46:22
# Updated 02/04/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Robert - METATRON
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Robert\My Documents\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\DOCUME~1\Robert\LOCALS~1\Temp\Uninstall.exe
File Deleted : C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\ige9lf9l.default\searchplugins\zonealarm.xml
File Deleted : C:\user.js

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v19.0.2 (en-US)

File : C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\ige9lf9l.default\prefs.js

C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\ige9lf9l.default\user.js ... Deleted !

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [1617 octets] - [11/04/2013 12:46:22]

########## EOF - C:\AdwCleaner[S1].txt - [1677 octets] ##########


RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Robert [Admin rights]
Mode : Scan -- Date : 04/11/2013 12:56:47
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000AAKS-00A7B2 +++++
--- User ---
[MBR] 939f19ba167ed9e3214caba0c930aa92
[BSP] 624ba18a9061ea14c4a0a395eb9a19a0 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_04112013_02d1256.txt >>
RKreport[1]_S_04112013_02d1256.txt


RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Robert [Admin rights]
Mode : Remove -- Date : 04/11/2013 12:57:46
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000AAKS-00A7B2 +++++
--- User ---
[MBR] 939f19ba167ed9e3214caba0c930aa92
[BSP] 624ba18a9061ea14c4a0a395eb9a19a0 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_04112013_02d1257.txt >>
RKreport[1]_S_04112013_02d1256.txt ; RKreport[2]_D_04112013_02d1257.txt




RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Robert [Admin rights]
Mode : Shortcuts HJfix -- Date : 04/11/2013 13:02:18
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 2 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 3 / Fail 0
Start menu: Success 4 / Fail 0
User folder: Success 1169 / Fail 0
My documents: Success 201 / Fail 201
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 276 / Fail 0
Backup: [NOT FOUND]

Drives:
[A:] \Device\Floppy0 -- 0x2 --> Skipped
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped

Finished : << RKreport[3]_SC_04112013_02d1302.txt >>
RKreport[1]_S_04112013_02d1256.txt ; RKreport[2]_D_04112013_02d1257.txt ; RKreport[3]_SC_04112013_02d1302.txt

#4 Tomk1

Tomk1

    Advanced Member

  • Trusted Advisors
  • PipPipPip
  • 214 posts
  • Gender:Male

Posted 11 April 2013 - 10:29 PM

RK_Quarentine is where the "bad" files that RogueKiller removed are stored.
.picasaoriginals has nothing to do with the tools you ran. It has always been there... it was just hidden. We changed your settings to "show hidden files" so we can see what is hiding. :)

OK... another tool

Download ComboFix:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://forums.whatth...ams_t96260.html
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Posted Image

#5 zoot56

zoot56

    Regular Member

  • Honorary Members
  • PipPip
  • 75 posts

Posted 12 April 2013 - 02:17 AM

ComboFix 13-04-11.01 - Robert 04/11/2013 23:55:43.8.4 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.1978 [GMT -7:00]
Running from: c:\documents and settings\Robert\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: ZoneAlarm Free Firewall Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-03-12 to 2013-04-12 )))))))))))))))))))))))))))))))
.
.
2013-04-12 05:41 . 2013-04-12 05:41 26520 ----a-w- c:\program files\Mozilla Firefox\updated\plugin-hang-ui.exe
2013-04-11 19:49 . 2013-04-11 19:49 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9C8848E1-BD45-47B5-95C1-013BE969AA3C}\MpKsl9fa00f3a.sys
2013-04-11 03:34 . 2013-03-15 07:21 7108640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9C8848E1-BD45-47B5-95C1-013BE969AA3C}\mpengine.dll
2013-04-10 02:49 . 2013-03-15 07:21 7108640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-03-21 18:21 . 2013-02-12 00:32 12928 -c----w- c:\windows\system32\dllcache\usb8023x.sys
2013-03-18 05:19 . 2013-03-18 05:18 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-03-18 05:19 . 2013-03-18 05:19 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-04 21:50 . 2010-02-28 00:48 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-02 10:33 . 2010-12-31 06:17 237088 ------w- c:\windows\system32\MpSigStub.exe
2013-03-18 05:18 . 2012-05-09 03:45 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-03-18 05:18 . 2011-08-23 00:50 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-13 09:28 . 2012-06-26 20:25 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-13 09:28 . 2012-06-26 20:25 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-08 08:36 . 2008-04-14 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:32 . 2008-04-14 12:00 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50 . 2008-04-14 00:01 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-02 02:06 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2013-03-02 02:06 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-03-02 02:06 . 2008-04-14 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-03-02 01:25 . 2008-04-14 12:00 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-03-02 01:08 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2013-02-27 07:56 . 2009-05-20 22:55 2067456 ----a-w- c:\windows\system32\mstscax.dll
2013-02-12 00:32 . 2008-04-14 12:00 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-01-26 03:55 . 2008-04-14 12:00 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-20 23:59 . 2011-04-18 20:18 195296 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2010-09-01 23:33 . 2010-12-31 23:11 83968 ----a-w- c:\program files\remover.exe
2013-03-13 06:37 . 2013-02-20 18:34 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\documents and settings\Robert\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" [2013-01-31 138096]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-11-17 17676288]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-22 451896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"Garmin Lifetime Updater"="c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe" [2011-10-03 1409384]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-11-08 73392]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2012-11-02 738984]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-12-29 15635896]
"NvMediaCenter"="NvMCTray.dll" [2012-12-29 108984]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-12-29 1982312]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/w...&ver=10.0.1204" [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Army Builder\\ArmyBuilder.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\Documents and Settings\\Robert\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"3074:TCP"= 3074:TCP:*:Disabled:xbox live
"3074:UDP"= 3074:UDP:*:Disabled:xbox live
"6112:TCP"= 6112:TCP:Blizzard Downloader: 6112
.
R1 MpKsl9fa00f3a;MpKsl9fa00f3a;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9C8848E1-BD45-47B5-95C1-013BE969AA3C}\MpKsl9fa00f3a.sys [4/11/2013 12:49 PM 29904]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [4/30/2012 12:05 PM 27056]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [4/30/2012 12:05 PM 497320]
S2 RasMan32;Remote Access Connection Manager ;c:\windows\system32\mscories32.exe --> c:\windows\system32\mscories32.exe [?]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [3/29/2012 9:49 PM 24064]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL9FA00F3A
*NewlyCreated* - TRUESIGHT
*Deregistered* - TrueSight
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-27 09:28]
.
2013-04-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 19:34]
.
2013-04-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1454471165-1614895754-1801674531-1004Core.job
- c:\documents and settings\Robert\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2013-01-31 15:26]
.
2013-04-12 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1454471165-1614895754-1801674531-1004UA.job
- c:\documents and settings\Robert\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2013-01-31 15:26]
.
2013-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 03:43]
.
2013-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 03:43]
.
2013-04-11 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-01-27 19:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: alaskausa.org\ultrabranch
Trusted Zone: alaskausa.org\www
Trusted Zone: amazon.com\www
Trusted Zone: aol.com\mail
Trusted Zone: aol.com\my.screenname
Trusted Zone: bankofamerica.com\safe
Trusted Zone: bankofamerica.com\www
Trusted Zone: chase.com\chaseonline
Trusted Zone: clonewarsadventures.com
Trusted Zone: facebook.com\apps
Trusted Zone: facebook.com\www
Trusted Zone: freerealms.com
Trusted Zone: games-workshop.com\www
Trusted Zone: kingcounty.gov\www
Trusted Zone: live.com\login
Trusted Zone: malwarebytes.org\forums
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: netflix.com\movies
Trusted Zone: netflix.com\signup
Trusted Zone: soe.com
Trusted Zone: sony.com
Trusted Zone: wa.gov\fortress
Trusted Zone: wccnet.edu\blackboard9
Trusted Zone: wednet.edu\mail.auburn
Trusted Zone: windowsupdate.com\download
Trusted Zone: windowsupdate.com\www
Trusted Zone: wm.com\www
Trusted Zone: youtube.com\www
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Robert\Application Data\Mozilla\Firefox\Profiles\ige9lf9l.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.zonealarm.com/search?Source=Browser&oemCode=ZLN112936925632837-1600&toolbarId=base&affiliateId=1600&Lan=en&utid=941db9ba00000000000000248c444d7d&q={searchTerms}
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-04-12 00:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1454471165-1614895754-1801674531-1004\Software\SecuROM\License information*]
"datasecu"=hex:ee,39,e6,33,9f,d3,4f,13,28,be,73,7f,d9,dd,64,be,8d,e0,f8,c2,54,
4e,ea,d8,56,32,97,6b,e9,3d,40,aa,2d,e2,53,01,79,76,81,af,cf,06,23,b4,d5,a0,\
"rkeysecu"=hex:3f,f5,91,b9,bf,e0,d1,30,e8,f4,28,b5,04,e4,ca,b2
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(928)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(984)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2013-04-12 00:11:57
ComboFix-quarantined-files.txt 2013-04-12 07:11
ComboFix2.txt 2012-05-14 03:50
.
Pre-Run: 219,084,001,280 bytes free
Post-Run: 219,606,740,992 bytes free
.
- - End Of File - - 187F347A86553FA5BEE0292D64341559

#6 Tomk1

Tomk1

    Advanced Member

  • Trusted Advisors
  • PipPipPip
  • 214 posts
  • Gender:Male

Posted 12 April 2013 - 10:09 AM

You have a lot of items in your trusted zone. Anything placed here is more "dangerous" to your system as because you say it is trusted... it won't be "scrutinized" as much. I would remove everything from the trusted zone unless I absolutely had to place it there (and really trusted it). There is no chance that I would call facebook a trusted zone!!!


Let's get an online scan:

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!


Also please update me as to how your system seems to be running now.
Posted Image

#7 zoot56

zoot56

    Regular Member

  • Honorary Members
  • PipPip
  • 75 posts

Posted 12 April 2013 - 12:17 PM

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=18fc5ae4eb0b2c499fc6b250cb676f56
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-05-14 05:45:42
# local_time=2012-05-13 10:45:42 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5891 16776869 42 93 0 3748827 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16776894 75 4 0 0 0 0
# scanned=140645
# found=0
# cleaned=0
# scan_time=2482
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=18fc5ae4eb0b2c499fc6b250cb676f56
# engine=13607
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-04-12 05:12:13
# local_time=2013-04-12 10:12:13 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5892 16777213 88 94 2419997 16573623 0 0
# compatibility_mode=9217 16776894 75 4 8976944 8976944 0 0
# scanned=150875
# found=1
# cleaned=0
# scan_time=4223
sh=FF19868F60E16DE4359F0FB3C947009949CC374A ft=0 fh=0000000000000000 vn="Win32/PSWTool.KonBoot.A application" ac=I fn="C:\Documents and Settings\Robert\My Documents\FIX\HBCD\Hiren's.BootCD.13.0.iso"

#8 Tomk1

Tomk1

    Advanced Member

  • Trusted Advisors
  • PipPipPip
  • 214 posts
  • Gender:Male

Posted 12 April 2013 - 01:56 PM

Nothing of consequence there. Hirens was flagged because it can be used for malicious intent... specifically it is flagged because it can be used to view your windows password. It appears that you purposefully downloaded the .iso yourself so I doubt if it is being used maliciously.

How do things seem to be running now?
Posted Image

#9 zoot56

zoot56

    Regular Member

  • Honorary Members
  • PipPip
  • 75 posts

Posted 12 April 2013 - 02:10 PM

I don't know what Hiren's is or an iso. How do I know if I downloaded it? What is "Win32/PSWTool.KonBoot.A application"?

The firewall is still popping up with the suspicious behavior warning: Setup Launcher Unicode is trying to launch C:\WINDOWS\system32\msiexec.exe, or use another program to gain access to privileged resources. When I click on more info it says:

Application:
C\WINDOWS\system32\config\systemprofile\LocalSettings\temp\._MSIGE61\GOOGLEEARTH.EXE

#10 Tomk1

Tomk1

    Advanced Member

  • Trusted Advisors
  • PipPipPip
  • 214 posts
  • Gender:Male

Posted 12 April 2013 - 03:56 PM

msiexec.exe is the microsoft installer. It is what most windows programs use to install

GOOGLEEARTH.EXE is the installation program for Google Earth. It is trying to install Google Earth and it uses msiexec.exe to do it. Do you want to install Google Earth?

Win32/PSWTool.KonBoot.A application is the name of the warning. the Win32 tells you that it effects 32 bit systems (but can effect 64 bit also) if it said Win64 it could only effect the 64 bit portion of the operating system. Yours is a 32 bit only system. PSWTool tells you the family. In this case it means password tool. KonBoot is the routine in the program that can be used to manipulate the password. The A is just the identifier. Typically the first instance would be A then the next one would be B and so on.

The Hirens .iso is an image that can be burned to a CD that will allow you to boot your computer from a CD that will allow you to operate in a PE environment. It is similiar to booting from a linux boot CD except it is a windows environment... but not the operating system that is on your harddrive that you normally operate from. More about it can be found here: http://en.wikipedia....ren%27s_BootCD. It really doesn't do anything for/to you unless you burn it on a CD and boot from it.

It sounds like you did not download it. Therefore we can remove it.

Also, let me know about Google earth and we can make it stop trying to install.
Posted Image

#11 zoot56

zoot56

    Regular Member

  • Honorary Members
  • PipPip
  • 75 posts

Posted 12 April 2013 - 04:10 PM

Yeah I'm pretty sure I didn't download anything called Hirens so we should probably remove it.

And I already have google earth installed and i haven't touched it in ages so it seems strange that it would be trying to install.

#12 Tomk1

Tomk1

    Advanced Member

  • Trusted Advisors
  • PipPipPip
  • 214 posts
  • Gender:Male

Posted 13 April 2013 - 12:29 AM

COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    File::
    C\WINDOWS\system32\config\systemprofile\LocalSettings\temp\._MSIGE61\GOOGLEEARTH.EXE
    
    Folder::
    C:\Documents and Settings\Robert\My Documents\FIX\HBCD
    
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3724:TCP"=-
    "6112:TCP"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"=-
    
    Clearjavacache::
    
    
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Then also let me know if you are still flashing the errors. If you are... then please run this tool:

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxe:
  • List last 10 Event Viewer log
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.
Posted Image

#13 zoot56

zoot56

    Regular Member

  • Honorary Members
  • PipPip
  • 75 posts

Posted 14 April 2013 - 04:46 PM

The combofix prompted to update when I ran it so I said ok. I hope that was ok. Here is the log. I will wait and see if I am still getting the errors and run the minitoolbox if I am.


ComboFix 13-04-14.01 - Robert 04/14/2013 14:13:49.9.4 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2252 [GMT -7:00]
Running from: c:\documents and settings\Robert\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Robert\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: ZoneAlarm Free Firewall Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Robert\My Documents\FIX\HBCD
c:\documents and settings\Robert\My Documents\FIX\HBCD\BurnCDCC.exe
c:\documents and settings\Robert\My Documents\FIX\HBCD\BurnToCD.cmd
c:\documents and settings\Robert\My Documents\FIX\HBCD\DefaultKeyboardPatch.zip
c:\documents and settings\Robert\My Documents\FIX\HBCD\DefaultKeyboardPatch\data.dat
c:\documents and settings\Robert\My Documents\FIX\HBCD\DefaultKeyboardPatch\Patch.cmd
c:\documents and settings\Robert\My Documents\FIX\HBCD\DefaultKeyboardPatch\PatchInfo.txt
c:\documents and settings\Robert\My Documents\FIX\HBCD\HBCD.txt
c:\documents and settings\Robert\My Documents\FIX\HBCD\HBCDCustomizer.exe
c:\documents and settings\Robert\My Documents\FIX\HBCD\Hiren's.BootCD.13.0.iso
.
.
((((((((((((((((((((((((( Files Created from 2013-03-14 to 2013-04-14 )))))))))))))))))))))))))))))))
.
.
2013-04-14 19:59 . 2013-03-15 07:21 7108640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8003AC02-9551-47EC-9726-3E526A42B6E3}\mpengine.dll
2013-04-14 09:31 . 2013-03-15 07:21 7108640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-03-21 18:21 . 2013-02-12 00:32 12928 -c----w- c:\windows\system32\dllcache\usb8023x.sys
2013-03-18 05:19 . 2013-03-18 05:18 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-03-18 05:19 . 2013-03-18 05:19 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-04 21:50 . 2010-02-28 00:48 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-02 10:33 . 2010-12-31 06:17 237088 ------w- c:\windows\system32\MpSigStub.exe
2013-03-18 05:18 . 2012-05-09 03:45 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-03-18 05:18 . 2011-08-23 00:50 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-13 09:28 . 2012-06-26 20:25 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-13 09:28 . 2012-06-26 20:25 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-08 08:36 . 2008-04-14 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:32 . 2008-04-14 12:00 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50 . 2008-04-14 00:01 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-02 02:06 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2013-03-02 02:06 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-03-02 02:06 . 2008-04-14 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-03-02 01:25 . 2008-04-14 12:00 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-03-02 01:08 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2013-02-27 07:56 . 2009-05-20 22:55 2067456 ----a-w- c:\windows\system32\mstscax.dll
2013-02-12 00:32 . 2008-04-14 12:00 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-01-26 03:55 . 2008-04-14 12:00 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-20 23:59 . 2011-04-18 20:18 195296 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2010-09-01 23:33 . 2010-12-31 23:11 83968 ----a-w- c:\program files\remover.exe
2013-04-12 05:41 . 2013-04-12 05:40 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\documents and settings\Robert\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" [2013-01-31 138096]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-11-17 17676288]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-22 451896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"Garmin Lifetime Updater"="c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe" [2011-10-03 1409384]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-11-08 73392]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2012-11-02 738984]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-12-29 15635896]
"NvMediaCenter"="NvMCTray.dll" [2012-12-29 108984]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-12-29 1982312]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Army Builder\\ArmyBuilder.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\Documents and Settings\\Robert\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"3074:TCP"= 3074:TCP:*:Disabled:xbox live
"3074:UDP"= 3074:UDP:*:Disabled:xbox live
.
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [4/30/2012 12:05 PM 27056]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [4/30/2012 12:05 PM 497320]
S2 RasMan32;Remote Access Connection Manager ;c:\windows\system32\mscories32.exe --> c:\windows\system32\mscories32.exe [?]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [3/29/2012 9:49 PM 24064]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL9FA00F3A
*NewlyCreated* - TRUESIGHT
*Deregistered* - MpKsl9fa00f3a
*Deregistered* - TrueSight
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-27 09:28]
.
2013-04-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 19:34]
.
2013-04-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1454471165-1614895754-1801674531-1004Core.job
- c:\documents and settings\Robert\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2013-01-31 15:26]
.
2013-04-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1454471165-1614895754-1801674531-1004UA.job
- c:\documents and settings\Robert\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2013-01-31 15:26]
.
2013-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 03:43]
.
2013-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 03:43]
.
2013-04-14 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-01-27 19:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Robert\Application Data\Mozilla\Firefox\Profiles\ige9lf9l.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.zonealarm.com/search?Source=Browser&oemCode=ZLN112936925632837-1600&toolbarId=base&affiliateId=1600&Lan=en&utid=941db9ba00000000000000248c444d7d&q={searchTerms}
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-04-14 14:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1454471165-1614895754-1801674531-1004\Software\SecuROM\License information*]
"datasecu"=hex:ee,39,e6,33,9f,d3,4f,13,28,be,73,7f,d9,dd,64,be,8d,e0,f8,c2,54,
4e,ea,d8,56,32,97,6b,e9,3d,40,aa,2d,e2,53,01,79,76,81,af,cf,06,23,b4,d5,a0,\
"rkeysecu"=hex:3f,f5,91,b9,bf,e0,d1,30,e8,f4,28,b5,04,e4,ca,b2
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(928)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(984)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2013-04-14 14:24:02
ComboFix-quarantined-files.txt 2013-04-14 21:23
ComboFix2.txt 2013-04-12 07:11
ComboFix3.txt 2012-05-14 03:50
.
Pre-Run: 219,274,387,456 bytes free
Post-Run: 219,451,011,072 bytes free
.
- - End Of File - - 9E25D12DB5BDF07BABA60ABB2ECF2580

#14 Tomk1

Tomk1

    Advanced Member

  • Trusted Advisors
  • PipPipPip
  • 214 posts
  • Gender:Male

Posted 14 April 2013 - 09:01 PM

OK... I'll be waiting. :)
Posted Image

#15 zoot56

zoot56

    Regular Member

  • Honorary Members
  • PipPip
  • 75 posts

Posted 15 April 2013 - 06:19 PM

Still getting the error messages.

MiniToolBox by Farbar Version:05-03-2013
Ran by Robert (administrator) on 15-04-2013 at 16:16:31
Running from "C:\Documents and Settings\Robert\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Event log errors: ===============================

Application errors:
==================
Error: (04/14/2013 02:09:54 PM) (Source: MPSampleSubmission) (User: )
Description: EventType mptelemetry, P1 unspecified, P2 hardeningtelemetry, P3 hardeningtelemetrydisablertp, P4 4.2.223.0, P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (04/12/2013 08:28:36 AM) (Source: MPSampleSubmission) (User: )
Description: EventType mptelemetry, P1 unspecified, P2 hardeningtelemetry, P3 hardeningtelemetrydisablertp, P4 4.2.223.0, P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (04/11/2013 11:53:05 PM) (Source: MPSampleSubmission) (User: )
Description: EventType mptelemetry, P1 unspecified, P2 hardeningtelemetry, P3 hardeningtelemetrydisablertp, P4 4.2.223.0, P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (04/10/2013 08:43:39 AM) (Source: Bonjour Service) (User: )
Description: SendWakeupPacket error: sent -1 bytes: 10004

Error: (04/10/2013 08:43:39 AM) (Source: Bonjour Service) (User: )
Description: SendWakeupPacket error: sent -1 bytes: 10004

Error: (04/10/2013 08:43:38 AM) (Source: Bonjour Service) (User: )
Description: ERROR: handle_resolve_request bad interfaceIndex 24

Error: (04/10/2013 08:43:38 AM) (Source: Bonjour Service) (User: )
Description: ERROR: handle_resolve_request bad interfaceIndex 23

Error: (04/10/2013 08:43:38 AM) (Source: Bonjour Service) (User: )
Description: ERROR: handle_resolve_request bad interfaceIndex 22

Error: (04/10/2013 08:43:38 AM) (Source: Bonjour Service) (User: )
Description: ERROR: handle_resolve_request bad interfaceIndex 21

Error: (04/10/2013 08:43:38 AM) (Source: Bonjour Service) (User: )
Description: ERROR: handle_resolve_request bad interfaceIndex 20


System errors:
=============
Error: (04/14/2013 02:19:14 PM) (Source: Service Control Manager) (User: )
Description: The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (04/14/2013 02:13:29 PM) (Source: Service Control Manager) (User: )
Description: The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (04/14/2013 02:12:02 PM) (Source: Service Control Manager) (User: )
Description: The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (04/11/2013 11:57:59 PM) (Source: Service Control Manager) (User: )
Description: The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (04/11/2013 11:55:33 PM) (Source: Service Control Manager) (User: )
Description: The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (04/11/2013 11:54:48 PM) (Source: Service Control Manager) (User: )
Description: The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (04/10/2013 08:44:28 AM) (Source: DCOM) (User: METATRON)
Description: The server {2692A9D5-61DF-46D5-A5A1-A6CCA921D578} did not register with DCOM within the required timeout.

Error: (04/06/2013 00:00:34 AM) (Source: DCOM) (User: METATRON)
Description: The server {2692A9D5-61DF-46D5-A5A1-A6CCA921D578} did not register with DCOM within the required timeout.

Error: (03/29/2013 08:18:54 AM) (Source: DCOM) (User: METATRON)
Description: The server {2692A9D5-61DF-46D5-A5A1-A6CCA921D578} did not register with DCOM within the required timeout.

Error: (03/28/2013 03:43:16 PM) (Source: Windows Update Agent) (User: )
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.147.673.0).


Microsoft Office Sessions:
=========================
Error: (04/14/2013 02:09:54 PM) (Source: MPSampleSubmission)(User: )
Description: mptelemetryunspecifiedhardeningtelemetryhardeningtelemetrydisablertp4.2.223.0unspecifiedunspecifiedunspecifiedNILNILNIL

Error: (04/12/2013 08:28:36 AM) (Source: MPSampleSubmission)(User: )
Description: mptelemetryunspecifiedhardeningtelemetryhardeningtelemetrydisablertp4.2.223.0unspecifiedunspecifiedunspecifiedNILNILNIL

Error: (04/11/2013 11:53:05 PM) (Source: MPSampleSubmission)(User: )
Description: mptelemetryunspecifiedhardeningtelemetryhardeningtelemetrydisablertp4.2.223.0unspecifiedunspecifiedunspecifiedNILNILNIL

Error: (04/10/2013 08:43:39 AM) (Source: Bonjour Service)(User: )
Description: SendWakeupPacket error: sent -1 bytes: 10004

Error: (04/10/2013 08:43:39 AM) (Source: Bonjour Service)(User: )
Description: SendWakeupPacket error: sent -1 bytes: 10004

Error: (04/10/2013 08:43:38 AM) (Source: Bonjour Service)(User: )
Description: ERROR: handle_resolve_request bad interfaceIndex 24

Error: (04/10/2013 08:43:38 AM) (Source: Bonjour Service)(User: )
Description: ERROR: handle_resolve_request bad interfaceIndex 23

Error: (04/10/2013 08:43:38 AM) (Source: Bonjour Service)(User: )
Description: ERROR: handle_resolve_request bad interfaceIndex 22

Error: (04/10/2013 08:43:38 AM) (Source: Bonjour Service)(User: )
Description: ERROR: handle_resolve_request bad interfaceIndex 21

Error: (04/10/2013 08:43:38 AM) (Source: Bonjour Service)(User: )
Description: ERROR: handle_resolve_request bad interfaceIndex 20


**** End of log ****

#16 Tomk1

Tomk1

    Advanced Member

  • Trusted Advisors
  • PipPipPip
  • 214 posts
  • Gender:Male

Posted 17 April 2013 - 09:21 AM

I'm sorry... but I'm not seeing it.

Are you getting the same Google earth and 7-zip errors?

What exactly do the errors say?

I don't see any mention of them in your error logs.
Posted Image

#17 zoot56

zoot56

    Regular Member

  • Honorary Members
  • PipPip
  • 75 posts

Posted 17 April 2013 - 09:55 AM

Why wont this thing let me post a screen shot? Anyways it says:

GoogleEarth-Win-Bundle-7.0.3.8542:error
7-Zip: Internal error, code 105.

#18 Tomk1

Tomk1

    Advanced Member

  • Trusted Advisors
  • PipPipPip
  • 214 posts
  • Gender:Male

Posted 17 April 2013 - 11:34 PM

These errors both seem to be related to Google Earth. I can find where several people have had the same issue... going back a couple of years. Some have said they resolved the issue by uninstalling Google Earth and then re-installing it fresh - but some of these say the issue returns in a couple days (or weeks). Some have said that they only resolved this after the uninstalled Google Earth... Redownloaded the Goggle Earth installer... shut off their AV and Firewall (specifically if it is a third party firewall like Zone Alarm)... and then reinstalling. I found some who resolved it be deleting the installer file but we already tried that and it apparently didn't work.

I haven't found a consistent resolution. I'll get back to you when I have a realistic theory.
Posted Image

#19 zoot56

zoot56

    Regular Member

  • Honorary Members
  • PipPip
  • 75 posts

Posted 18 April 2013 - 09:19 AM

Thank you very much I wish this thing would just stop. Should I try any of those things? Has anyone allowed the firewall to let the thing launch?

#20 Tomk1

Tomk1

    Advanced Member

  • Trusted Advisors
  • PipPipPip
  • 214 posts
  • Gender:Male

Posted 18 April 2013 - 11:00 PM

Let's try it. I think it will install without being connected to the internet.

Uninstall Google earth.

Then download the new installer.

Then disconnect your computer from the internet (unplug if wired... shut off wifi if wireless) and then shut off your AV and your firewall (this is why I want you disconnected from the internet because without your AV and firewall you are vulnerable).

Now run the installer (hopefully it will work while disconnected from the net). Once the installer has completed it's job... turn your AV and firewall back on... connect to the internet... and let me know how we did.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users