RunDown

Infected...I think - CoCreateInstance failure

9 posts in this topic

Hello,

I think i've been infected by something. At first no .exe would run except my default browser (FireFox). Then I got that kind of resolved. At least many programs run now. However, most programs i can't run simply by double clicking on the desktop icons. I have to right-click and "Open" them instead.

And additionally, I can't install Malwarebytes Anti-Malware. I had a copy already on my computer when i realized something was wrong (with the .exe files) and ran it, it wanted to update and so i let it but when it did i got a "CoCreateInstance failed" error message when it got to the last few (.dll's, i believe) files of the installation. It then proceeded to act like it was finishing up installation and after it appeared to finish it popped up a couple of Runtime errors and then nothing happened, and the Malwarebytes folder it created is populated but unable to run the program.

I tried to resolve this issue on my own but only managed to semi-solve the .exe problem, i still can't install or run malwarebyte's program.

Here are the things i've already tried, I've tried all of the appropriate choices except the unhide.exe step (it didn't seem appropriate) from the "Malwarebytes Anti-Malware won't run or failed to resolve my issues" and none have resulted in successful installation of the program. Chameleon will run but it gets the same cocreateinstance errors and runtime errors even though it thinks it was successful.

I have also run Spybot S&D, which did find a registry key which it "took care of" (I have the log from that if it would be useful). After looking at some other postings of similar CoCreateInstance issues, I also ran ComboFix, SecurityCheck, xp_exe_fix, and adwcleaner. I have some of the logs created by those programs as well if useful. I also have *attached* the dds files if useful.

I could really use some help on what steps i could take next.

Thank you

david

dds

-------------------

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22

Run by Owner at 17:44:42 on 2013-02-17

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1004 [GMT -7:00]

.

.

============== Running Processes ================

.

C:\Program Files\Windows Defender\MsMpEng.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\iolo\common\lib\ioloServiceManager.exe

C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\ehome\mcrdsvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\WINDOWS\zHotkey.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\WINDOWS\zHotkey.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\program files\ncsoft\launcher\NCLauncher.exe

C:\Documents and Settings\Owner\Application Data\Spotify\Data\SpotifyWebHelper.exe

C:\Documents and Settings\Owner\Application Data\Spotify\Spotify.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

C:\WINDOWS\system32\svchost.exe -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k imgsvc

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.emachines.com/

BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre1.6.0_22\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre1.6.0_22\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Google: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

TB: &Google: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [NCsoft Launcher] c:\program files\ncsoft\launcher\NCLauncher.exe /Minimized

uRun: [spotify Web Helper] "c:\documents and settings\owner\application data\spotify\data\SpotifyWebHelper.exe"

uRun: [spotify] "c:\documents and settings\owner\application data\spotify\Spotify.exe" /uri spotify:autostart

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [sunKistEM] c:\program files\digital media reader\shwiconem.exe

mRun: [CHotkey] zHotkey.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"

mRun: [sMSystemAnalyzer] "c:\program files\iolo\system mechanic 7\SMSystemAnalyzer.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

uPolicies-Explorer: NoDriveTypeAutoRun = dword:323

uPolicies-Explorer: NoDriveAutoRun = dword:67108863

uPolicies-Explorer: NoDrives = dword:0

mPolicies-Explorer: NoDriveAutoRun = dword:67108863

mPolicies-Explorer: NoDriveTypeAutoRun = dword:323

mPolicies-Explorer: NoDrives = dword:0

mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1

mPolicies-Explorer: NoDriveTypeAutoRun = dword:323

mPolicies-Explorer: NoDriveAutoRun = dword:67108863

IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML

IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html

IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE}

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

.

INFO: HKCU has more than 50 listed domains.

If you wish to scan all of them, select the 'Force scan all domains' option.

.

.

INFO: HKLM has more than 50 listed domains.

If you wish to scan all of them, select the 'Force scan all domains' option.

.

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1346094791984

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

TCP: NameServer = 74.211.15.210 74.211.15.211 74.211.89.201

TCP: Interfaces\{05567071-9353-4A3F-AF2D-A3542C6C9D2F} : DHCPNameServer = 74.211.15.210 74.211.15.211 74.211.89.201

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook - {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - c:\program files\windows defender\MpShHook.dll

.

============= SERVICES / DRIVERS ===============

.

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-2-29 255096]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-2-29 242808]

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2007-12-16 566120]

R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2007-12-16 566120]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 MotoHelper;MotoHelper Service;c:\program files\motorola\motohelper\MotoHelperService.exe [2010-9-7 202048]

R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-3-12 1221864]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-2-17 40776]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\naveng.sys [2011-5-8 86136]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\navex15.sys [2011-5-8 1393144]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-2-29 87160]

S3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [2010-12-12 25856]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-3-12 169192]

.

=============== File Associations ===============

.

FileExt: .jse: JSEFile=NOTEPAD.EXE %1

FileExt: .wsf: WSFFile=NOTEPAD.EXE %1

.

=============== Created Last 30 ================

.

2013-02-18 00:29:00 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2013-02-18 00:29:00 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes

2013-02-18 00:28:52 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2013-02-18 00:28:51 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-02-18 00:28:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2013-02-17 19:23:33 -------- d-----w- c:\windows\pss

2013-02-16 17:42:02 60872 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{26453b8e-dede-4e7c-a608-37c5ae7f51e8}\offreg.dll

2013-02-16 03:04:42 6991832 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{26453b8e-dede-4e7c-a608-37c5ae7f51e8}\mpengine.dll

2013-02-15 19:50:47 -------- d-sha-r- C:\cmdcons

2013-02-15 18:09:10 208896 ----a-w- c:\windows\MBR.exe

2013-02-15 18:09:09 98816 ----a-w- c:\windows\sed.exe

2013-02-15 18:09:09 256000 ----a-w- c:\windows\PEV.exe

2013-02-14 20:56:00 -------- d-----w- c:\documents and settings\owner\local settings\application data\Spotify

2013-02-14 20:55:25 -------- d-----w- c:\documents and settings\owner\application data\Spotify

2013-02-14 18:33:09 -------- d-----w- C:\iolo

2013-02-14 17:27:55 -------- d-----w- c:\documents and settings\owner\local settings\application data\PCHealth

.

==================== Find3M ====================

.

2013-02-14 23:32:18 74096 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-02-14 23:32:18 697712 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-02-14 23:32:16 15739760 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe

2013-01-26 03:55:44 552448 ----a-w- c:\windows\system32\oleaut32.dll

2013-01-17 08:28:58 232336 ------w- c:\windows\system32\MpSigStub.exe

2013-01-07 01:16:02 2193024 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-01-07 00:36:58 2069760 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-01-04 01:20:00 1867264 ----a-w- c:\windows\system32\win32k.sys

2013-01-02 06:49:10 1292288 ----a-w- c:\windows\system32\quartz.dll

2012-12-26 20:16:29 916480 ----a-w- c:\windows\system32\wininet.dll

2012-12-26 20:16:28 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-12-26 20:16:28 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-12-24 06:40:59 385024 ----a-w- c:\windows\system32\html.iec

2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll

.

============= FINISH: 17:45:58.96 ===============

attach

-----------

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 1/16/2006 9:36:02 PM

System Uptime: 2/17/2013 5:33:41 PM (0 hours ago)

.

Motherboard: MICRO-STAR | | MS-7184

Processor: AMD Athlon™ 64 Processor 3500+ | Socket 939 | 2188/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 182 GiB total, 79.321 GiB free.

D: is FIXED (FAT32) - 4 GiB total, 2.409 GiB free.

E: is CDROM ()

F: is CDROM ()

G: is Removable

H: is Removable

I: is Removable

J: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP1220: 11/20/2012 8:53:00 PM - Software Distribution Service 3.0

RP1221: 11/30/2012 9:56:44 AM - Software Distribution Service 3.0

RP1222: 12/1/2012 2:58:09 PM - System Checkpoint

RP1223: 12/2/2012 9:36:45 PM - System Checkpoint

RP1224: 12/6/2012 3:10:50 PM - Software Distribution Service 3.0

RP1225: 12/10/2012 12:38:21 PM - Software Distribution Service 3.0

RP1226: 12/11/2012 9:01:01 AM - Software Distribution Service 3.0

RP1227: 12/12/2012 10:38:27 PM - Software Distribution Service 3.0

RP1228: 12/15/2012 6:50:38 AM - Software Distribution Service 3.0

RP1229: 12/18/2012 1:26:45 PM - Software Distribution Service 3.0

RP1230: 1/3/2013 10:49:14 AM - Software Distribution Service 3.0

RP1231: 1/3/2013 12:40:32 PM - Software Distribution Service 3.0

RP1232: 1/10/2013 7:35:11 AM - Software Distribution Service 3.0

RP1233: 1/10/2013 9:13:38 PM - Software Distribution Service 3.0

RP1234: 1/11/2013 9:10:59 AM - Software Distribution Service 3.0

RP1235: 1/14/2013 10:12:53 PM - System Checkpoint

RP1236: 1/17/2013 11:03:52 AM - Software Distribution Service 3.0

RP1237: 1/17/2013 11:08:16 AM - Software Distribution Service 3.0

RP1238: 2/3/2013 6:26:26 PM - Software Distribution Service 3.0

RP1239: 2/13/2013 8:27:46 PM - Software Distribution Service 3.0

RP1240: 2/14/2013 7:00:16 AM - Software Distribution Service 3.0

RP1241: 2/14/2013 10:30:43 AM - Software Distribution Service 3.0

RP1242: 2/14/2013 8:14:48 PM - Software Distribution Service 3.0

RP1243: 2/15/2013 9:34:02 AM - Software Distribution Service 3.0

RP1244: 2/15/2013 8:04:36 PM - Software Distribution Service 3.0

RP1245: 2/15/2013 10:30:52 PM - Software Distribution Service 3.0

RP1246: 2/16/2013 9:41:22 PM - Software Distribution Service 3.0

.

==== Installed Programs ======================

.

6300

6300Trb

Actiontec Gateway

Adobe Flash Player 11 Plugin

Adobe Reader 8.1.2

Adobe® Photoshop® Album Starter Edition 3.0

Adobe® Photoshop® Album Starter Edition 3.0.1

AiO_Scan_CDA

AiOSoftwareNPI

America Online (Choose which version to remove)

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Applian Director

ArcView GIS 3.2

ArcView Spatial Analyst

BigFix

Bluetooth Stack for Windows

Bonjour

BufferChm

Champions Online

CP_AtenaShokunin1Config

CP_CalendarTemplates1

cp_OnlineProjectsConfig

CP_Package_Basic1

CP_Package_Variety1

CP_Package_Variety2

CP_Package_Variety3

CP_Panorama1Config

cp_PosterPrintConfig

Critical Update for Windows Media Player 11 (KB959772)

CueTour

DeductionPro 2005-06

Destinations

DeviceFunctionQFolder

DeviceManagementQFolder

Digital Media Reader

DNRGarmin

DocProc

DocumentViewer

DocumentViewerQFolder

DVDFab 8.1.3.8 (09/12/2011) Qt

eSupportQFolder

Fable - The Lost Chapters

Fax_CDA

ffdshow [rev 2527] [2008-12-19]

FullDPAppQFolder

Game Cam 2.2

Garmin MapSource

Google Toolbar for Internet Explorer

HandBrake 0.9.5

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 10 (KB903157)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB2570791)

Hotfix for Windows XP (KB2633952)

Hotfix for Windows XP (KB2756822)

Hotfix for Windows XP (KB2779562)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

HP Document Viewer 6.1

HP Imaging Device Functions 6.1

HP Photosmart Premier Software 6.1

HP PSC & OfficeJet 6.1.A

HP Solution Center and Imaging Support Tools 6.1

HP Update

HPProductAssistant

InstantShareDevices

iolo technologies' System Mechanic 7

iTunes

J2SE Runtime Environment 5.0 Update 2

Java Auto Updater

Java™ 6 Update 2

Java™ 6 Update 22

Java™ 6 Update 3

LiveUpdate 2.0 (Symantec Corporation)

Lizardtech Express View

Malwarebytes Anti-Malware version 1.70.0.1100

Map Patch

MapSource

Microsoft .NET Framework 1.0 Hotfix (KB2572066)

Microsoft .NET Framework 1.0 Hotfix (KB2604042)

Microsoft .NET Framework 1.0 Hotfix (KB2656378)

Microsoft .NET Framework 1.0 Hotfix (KB953295)

Microsoft .NET Framework 1.0 Hotfix (KB979904)

Microsoft .NET Framework 1.0 Security Update (KB2698035)

Microsoft .NET Framework 1.0 Security Update (KB2742607)

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2698023)

Microsoft .NET Framework 1.1 Security Update (KB2742597)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Kernel-Mode Driver Framework Feature Pack 1.7

Microsoft Money 2005

Microsoft National Language Support Downlevel APIs

Microsoft Office Standard Edition 2003

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Works

MotoHelper 2.0.24 Driver 4.7.1

MotoHelper MergeModules

Motorola Mobile Drivers Installation 4.7.1

Mozilla Firefox 18.0.2 (x86 en-US)

Mozilla Maintenance Service

MSN

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Multimedia Keyboard Driver

Napster

Napster Burn Engine

NCsoft Launcher

Nero BurnRights

Nero OEM

NewCopy_CDA

NVIDIA Control Panel 306.81

NVIDIA Graphics Driver 306.81

NVIDIA Install Application

NVIDIA nView 136.28

NVIDIA Update 1.10.8

NVIDIA Update Components

OpenOffice.org 3.3

Opera 12.14

Pando Media Booster

PanoStandAlone

Pdf995 (installed by TaxCut)

PdfEdit995 (installed by TaxCut)

PhotoGallery

PowerDVD

ProductContextNPI

Pure Networks Port Magic

QuickTime

RandMap

Readme

RealPlayer Basic

Realtek AC'97 Audio

Recovery Software Suite eMachines

Replay Music

Rhapsody

Safari

Saunders NCLEX-RN4e

Scan

ScannerCopy

Scribus 1.3.3.13

Seagate Crystal Reports for ESRI

Security Task Manager 1.7

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)

Security Update for Microsoft Windows (KB2564958)

Security Update for Windows Internet Explorer 7 (KB928090)

Security Update for Windows Internet Explorer 7 (KB929969)

Security Update for Windows Internet Explorer 7 (KB931768)

Security Update for Windows Internet Explorer 7 (KB933566)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 8 (KB2183461)

Security Update for Windows Internet Explorer 8 (KB2360131)

Security Update for Windows Internet Explorer 8 (KB2416400)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2530548)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2559049)

Security Update for Windows Internet Explorer 8 (KB2586448)

Security Update for Windows Internet Explorer 8 (KB2618444)

Security Update for Windows Internet Explorer 8 (KB2647516)

Security Update for Windows Internet Explorer 8 (KB2675157)

Security Update for Windows Internet Explorer 8 (KB2722913)

Security Update for Windows Internet Explorer 8 (KB2744842)

Security Update for Windows Internet Explorer 8 (KB2761465)

Security Update for Windows Internet Explorer 8 (KB2792100)

Security Update for Windows Internet Explorer 8 (KB2797052)

Security Update for Windows Internet Explorer 8 (KB2799329)

Security Update for Windows Internet Explorer 8 (KB969897)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB972260)

Security Update for Windows Internet Explorer 8 (KB974455)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2536276)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2555917)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567053)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2584146)

Security Update for Windows XP (KB2585542)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB2598479)

Security Update for Windows XP (KB2603381)

Security Update for Windows XP (KB2618451)

Security Update for Windows XP (KB2620712)

Security Update for Windows XP (KB2621440)

Security Update for Windows XP (KB2624667)

Security Update for Windows XP (KB2631813)

Security Update for Windows XP (KB2633171)

Security Update for Windows XP (KB2639417)

Security Update for Windows XP (KB2641653)

Security Update for Windows XP (KB2646524)

Security Update for Windows XP (KB2647518)

Security Update for Windows XP (KB2653956)

Security Update for Windows XP (KB2655992)

Security Update for Windows XP (KB2659262)

Security Update for Windows XP (KB2660465)

Security Update for Windows XP (KB2661637)

Security Update for Windows XP (KB2676562)

Security Update for Windows XP (KB2686509)

Security Update for Windows XP (KB2691442)

Security Update for Windows XP (KB2695962)

Security Update for Windows XP (KB2698365)

Security Update for Windows XP (KB2705219)

Security Update for Windows XP (KB2707511)

Security Update for Windows XP (KB2712808)

Security Update for Windows XP (KB2719985)

Security Update for Windows XP (KB2723135)

Security Update for Windows XP (KB2724197)

Security Update for Windows XP (KB2727528)

Security Update for Windows XP (KB2731847)

Security Update for Windows XP (KB2753842-v2)

Security Update for Windows XP (KB2753842)

Security Update for Windows XP (KB2757638)

Security Update for Windows XP (KB2758857)

Security Update for Windows XP (KB2761226)

Security Update for Windows XP (KB2770660)

Security Update for Windows XP (KB2778344)

Security Update for Windows XP (KB2779030)

Security Update for Windows XP (KB2780091)

Security Update for Windows XP (KB2799494)

Security Update for Windows XP (KB2802968)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165-v2)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

SkinsHP1

SoftV92 Data Fax Modem with SmartCP

SolutionCenter

Sonic Encoders

Sonic_PrimoSDK

Spotify

Spybot - Search & Destroy

Starcraft

Status

Symantec AntiVirus

SyncToy

System Requirements Lab

TaxCut Arizona 2007

TaxCut Premium + State 2007

TaxCut Premium 2005

TaxCut Premium 2006

Toolbox

TrayApp

Unload

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 8 (KB971180)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB980182)

Update for Windows Media Player 10 (KB913800)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2541763)

Update for Windows XP (KB2607712)

Update for Windows XP (KB2616676-v2)

Update for Windows XP (KB2641690)

Update for Windows XP (KB2661254-v2)

Update for Windows XP (KB2718704)

Update for Windows XP (KB2736233)

Update for Windows XP (KB2749655)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB953356)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Update Rollup 2 for Windows XP Media Center Edition 2005

WebFldrs XP

WebReg

Windows Defender

Windows Defender Signatures

Windows Genuine Advantage v1.3.0254.0

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Media Format 11 runtime

Windows Media Player 11

Windows XP Media Center Edition 2005 KB2502898

Windows XP Media Center Edition 2005 KB2619340

Windows XP Media Center Edition 2005 KB2628259

Windows XP Media Center Edition 2005 KB925766

Windows XP Media Center Edition 2005 KB973768

Windows XP Service Pack 3

WinZip

World of Warcraft

.

==== Event Viewer Messages From Past Week ========

.

2/17/2013 4:23:30 PM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).

2/17/2013 12:29:17 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

2/17/2013 12:29:08 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss SAVRT SYMTDI Tcpip Tosrfcom WS2IFSL

2/17/2013 12:29:08 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

2/17/2013 12:29:08 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

2/17/2013 12:29:08 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

2/17/2013 12:29:08 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

2/17/2013 12:29:08 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

2/17/2013 12:29:08 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

2/17/2013 12:28:52 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

2/15/2013 12:44:12 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Netman service.

2/14/2013 7:00:35 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 2.0 SP2 on Windows Server 2003 and Windows XP x86 (KB2789643).

2/13/2013 8:18:33 PM, error: Service Control Manager [7038] - The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

2/13/2013 8:18:33 PM, error: Service Control Manager [7000] - The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.

2/13/2013 8:11:48 PM, error: PlugPlayManager [12] - The device 'PS/2 Compatible Mouse' (ACPI\PNP0F13\3&61aaa01&1) disappeared from the system without first being prepared for removal.

2/13/2013 8:10:41 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.

2/13/2013 10:06:29 PM, error: Service Control Manager [7034] - The AOL Connectivity Service service terminated unexpectedly. It has done this 1 time(s).

.

==== End Of File ===========================

Share this post


Link to post
Share on other sites

ID: 2   Posted (edited)

Hello David,

eusa_hand.gifPlease STOP self-medicating by running tools on your own. If you will follow my guidance and have patience, we can do better.

Having two or more installed & active antivirus programs will lead to conflicts and deadlocks.

What antivirus (if any) was pre-installed when the system was new ?

Have you ever used Iolo System Mechanic on this system?

Some options of this tool will lead to a crippling of the windows installer service and will also lead to failing Windows Updates.

Have you used it? and when ?

I URGE you to NOT use System Mechanic, ever, and also not to use any -other- registry tweaker, tuner, cleaner-upper or what's-it icon_twisted.gif

I will need a copy of the logs you have from the other tools {except for Spybot}.

I especially need copy of C:\Combofix.txt

Do NOT attach any logs. Always Copy and Paste directly inside main body of reply box.

Spybot's Tea Timer will interfere and it will revert any "fixes" we make. Turn it OFF and keep it OFF.

Start Spybot-S&D, switch to the Advanced mode via the menu bar item Mode

then select Advanced Mode

On the left hand side, slect Tools

Then click on the Resident icon in the list

Uncheck Resident TeaTimer and OK any prompts.

Now Logoff & Restart your computer fresh.

  • Download & SAVE to your Desktop >> Tigzy's RogueKillerfrom here << or
    >> from here <<
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
    For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on Scan button at upper right of screen.
  • Wait until the Status box shows "Scan Finished"
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Do NOT press any Fix button.
  • Exit/Close RogueKiller

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Download >> Farbar's Service Scanner utility << and Save to your Desktop.

If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Administrator.

If using XP, double-click to start.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are checkmarked:

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender
  • Other services

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.

Copy & Paste contents of FSS.txt into your reply.

Edited by Maurice Naggar

Share this post


Link to post
Share on other sites

Thank you for getting back to me, I'll definitely stop the self-medication!

I've included the texts from the various logs below, in order: ComboFix, exehelper, rkill, RogueKiller, SecurityCheck and FSS.

As far as the other programs i have. I haven't run SystemMechanic 7 since XP SP3 came out, that killed that version of SystemMechanic, I haven't bothered to clean house and uninstall it but am happy to do so. I'll wait until everything is fixed to do so (unless you advise me otherwise). Norton AV is the first antivirus i've had on the computer and it and Spybot are the only things that run automatically at this point. What malware/antivirus programs should i get rid of? Which single program of what I have do you recommend?

TeaTimer is off and i'll wait on your instructions for my next move. Thank you again!

ComboFix.txt

--------------------

ComboFix 13-02-15.01 - Owner 02/15/2013 12:57:13.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1288 [GMT -7:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator\WINDOWS

c:\documents and settings\Default User\WINDOWS

c:\documents and settings\Owner\Application Data\inst.exe

c:\documents and settings\Owner\Local Settings\Application Data\assembly\tmp

c:\documents and settings\Owner\WINDOWS

c:\documents and settings\UpdatusUser\WINDOWS

C:\install.exe

c:\windows\0

c:\windows\system32\config\systemprofile\WINDOWS

c:\windows\system32\URTTemp

c:\windows\system32\URTTemp\fusion.dll

c:\windows\system32\URTTemp\mscoree.dll

c:\windows\system32\URTTemp\mscoree.dll.local

c:\windows\system32\URTTemp\mscorsn.dll

c:\windows\system32\URTTemp\mscorwks.dll

c:\windows\system32\URTTemp\msvcr71.dll

c:\windows\system32\URTTemp\regtlib.exe

c:\windows\wininit.ini

D:\Autorun.inf

.

.

((((((((((((((((((((((((( Files Created from 2013-01-15 to 2013-02-15 )))))))))))))))))))))))))))))))

.

.

2013-02-14 20:56 . 2013-02-15 18:03 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Spotify

2013-02-14 20:55 . 2013-02-15 19:49 -------- d-----w- c:\documents and settings\Owner\Application Data\Spotify

2013-02-14 18:33 . 2013-02-14 18:33 -------- d-----w- C:\iolo

2013-02-14 17:27 . 2013-02-14 17:27 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PCHealth

2013-02-14 03:27 . 2013-01-08 04:57 6991832 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{F5638409-4435-4CCF-B496-B6E2134CE26B}\mpengine.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-02-14 23:32 . 2012-11-05 05:12 697712 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-02-14 23:32 . 2011-05-23 02:33 74096 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-02-14 23:32 . 2012-11-05 05:32 15739760 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe

2013-01-26 03:55 . 2005-04-13 16:55 552448 ----a-w- c:\windows\system32\oleaut32.dll

2013-01-17 08:28 . 2009-10-08 23:55 232336 ------w- c:\windows\system32\MpSigStub.exe

2013-01-08 04:57 . 2006-04-27 00:58 6991832 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll

2013-01-07 01:16 . 2005-04-13 16:55 2193024 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-01-07 00:36 . 2004-08-04 05:59 2069760 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-01-04 01:20 . 2005-04-13 16:56 1867264 ----a-w- c:\windows\system32\win32k.sys

2013-01-02 06:49 . 2005-04-13 16:55 1292288 ----a-w- c:\windows\system32\quartz.dll

2012-12-26 20:16 . 2005-04-13 16:56 916480 ----a-w- c:\windows\system32\wininet.dll

2012-12-26 20:16 . 2005-04-13 16:55 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-12-26 20:16 . 2005-04-13 16:55 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-12-24 06:40 . 2005-04-13 16:55 385024 ----a-w- c:\windows\system32\html.iec

2012-12-16 12:23 . 2005-04-13 16:55 290560 ----a-w- c:\windows\system32\atmfd.dll

2012-12-14 23:49 . 2011-03-25 06:56 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2007-05-28 16:45 . 2013-02-14 19:09 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll

2007-05-28 16:45 . 2013-02-14 19:09 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll

2013-02-14 19:10 . 2013-02-14 19:09 262552 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"NCsoft Launcher"="c:\program files\ncsoft\launcher\NCLauncher.exe" [2012-08-27 38744]

"Spotify Web Helper"="c:\documents and settings\Owner\Application Data\Spotify\Data\SpotifyWebHelper.exe" [2013-02-15 1103768]

"Spotify"="c:\documents and settings\Owner\Application Data\Spotify\Spotify.exe" [2013-02-15 4484504]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]

"CHotkey"="zHotkey.exe" [2005-05-03 543232]

"SoundMan"="SOUNDMAN.EXE" [2005-04-15 77824]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

"SMSystemAnalyzer"="c:\program files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [2008-05-06 764776]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-09-23 15512424]

"NvMediaCenter"="NvMCTray.dll" [2012-09-23 108392]

"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-09-23 1634112]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

.

c:\documents and settings\Owner\Start Menu\Programs\Startup\

OpenOffice.org 3.3.lnk - [N/A]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth Manager.lnk - [N/A]

HP Digital Imaging Monitor.lnk - [N/A]

HP Photosmart Premier Fast Start.lnk - [N/A]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck smrgdf c:\documents and settings\Owner\Application Data\iolo"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\Cryptic Studios\\Champions Online\\Live\\GameClient.exe"=

"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\Battle.net\\Agent\\Agent.1544\\Agent.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\Battle.net\\Agent\\Agent.1637\\Agent.exe"=

"c:\\Documents and Settings\\Owner\\Application Data\\Spotify\\spotify.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"58989:TCP"= 58989:TCP:Pando Media Booster

"58989:UDP"= 58989:UDP:Pando Media Booster

.

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [12/16/2007 11:55 AM 566120]

R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [12/16/2007 11:55 AM 566120]

R2 MotoHelper;MotoHelper Service;c:\program files\Motorola\MotoHelper\MotoHelperService.exe [9/7/2010 9:47 AM 202048]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]

S3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [12/12/2010 1:41 PM 25856]

S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [12/14/2008 9:18 AM 47360]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/12/2004 3:18 PM 169192]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

Contents of the 'Scheduled Tasks' folder

.

2013-02-15 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-05 17:29]

.

2013-01-11 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]

.

2011-11-25 c:\windows\Tasks\MotoHelper MUM.job

- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-09-07 16:47]

.

2013-02-15 c:\windows\Tasks\MotoHelper Routing.job

- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-09-07 16:47]

.

2012-09-11 c:\windows\Tasks\MotoHelper Update.job

- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-09-07 16:47]

.

2013-02-15 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.emachines.com/

uInternet Settings,ProxyOverride = *.local

IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML

IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html

IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html

TCP: DhcpNameServer = 74.211.15.210 74.211.15.211 74.211.89.201

.

.

------- File Associations -------

.

JSEFile=NOTEPAD.EXE %1

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-HLBackupScheduler - c:\program files\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe

HKCU-Run-PlayNC Launcher - (no file)

Notify-AtiExtEvent - (no file)

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-02-15 13:04

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\.sol]

@DACL=(02 0000)

@SACL=

"Content Type"="text/plain"

.

[HKEY_LOCAL_MACHINE\software\Classes\.sor]

@DACL=(02 0000)

@SACL=

"Content Type"="text/plain"

.

[HKEY_LOCAL_MACHINE\software\Classes\ShockwaveFlash.ShockwaveFlash\CLSID]

@DACL=(02 0000)

@="{D27CDB6E-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\ShockwaveFlash.ShockwaveFlash\CurVer]

@DACL=(02 0000)

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\software\Classes\ShockwaveFlash.ShockwaveFlash\DefaultIcon]

@DACL=(02 0000)

@="c:\\Program Files\\HP\\Digital Imaging\\help\\player\\FlashPla.exe,1"

.

[HKEY_LOCAL_MACHINE\software\Classes\ShockwaveFlash.ShockwaveFlash\shell]

@DACL=(02 0000)

.

Completion time: 2013-02-15 13:06:48

ComboFix-quarantined-files.txt 2013-02-15 20:06

.

Pre-Run: 85,376,978,944 bytes free

Post-Run: 85,956,276,224 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 50E95777A870B220250C25BC935E2CCB

**************************

exehelperlog

---------------------

exeHelper by Raktor

Build 20100414

Run at 16:28:04 on 02/17/13

Now searching...

Checking for numerical processes...

Checking for sysguard processes...

Checking for bad processes...

Checking for bad files...

Checking for bad registry entries...

Resetting filetype association for .exe

Resetting filetype association for .com

Resetting userinit and shell values...

Resetting policies...

--Finished--

***************************

Rkill.txt

--------------------

Rkill 2.4.7 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2013 BleepingComputer.com

More Information about Rkill can be found at this link:

http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 02/17/2013 04:23:23 PM in x86 mode.

Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\WINDOWS\zHotkey.exe (PID: 136) [WD-HEUR]

* C:\WINDOWS\system32\HPZipm12.exe (PID: 2216) [WD-HEUR]

2 proccesses terminated!

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* RpcSs => %SystemRoot%\system32\svchost.exe -k rpcss [incorrect ImagePath]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 02/17/2013 04:24:12 PM

Execution time: 0 hours(s), 0 minute(s), and 48 seconds(s)

*********************

RKreport[1]_S_02202013_02d1108

-----------------------

RogueKiller V8.5.1 [Feb 20 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : Owner [Admin rights]

Mode : Scan -- Date : 02/20/2013 11:08:40

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤

[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND

[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND

[HJPOL] HKCU\[...]\System : DisableCMD (0) -> FOUND

[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJPOL] HKLM\[...]\System : DisableCMD (0) -> FOUND

[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

SSDT[31] : NtConnectPort @ 0x80599A7E -> HOOKED (Unknown @ 0xE2900678)

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3200826A +++++

--- User ---

[MBR] 7e2b7451b50f42356955d4e9036a7ecc

[bSP] 74a11c150ec0fb413f12c867ca5ca2ed : Legit2 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 8723295 | Size: 186512 Mo

1 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 4259 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_02202013_02d1108.txt >>

RKreport[1]_S_02202013_02d1108.txt

**********************************

checkup (from SecurityCheck)

-----------------

Results of screen317's Security Check version 0.99.58

Windows XP Service Pack 3 x86

Internet Explorer 8

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Spybot - Search & Destroy

Windows Defender

Windows Defender Signatures

Malwarebytes Anti-Malware version 1.70.0.1100

Java 6 Update 22

Java 6 Update 2

Java 6 Update 3

Java version out of Date!

Adobe Flash Player 11.6.602.168

Adobe Reader 8 Adobe Reader out of Date!

Mozilla Firefox (19.0)

````````Process Check: objlist.exe by Laurent````````

Windows Defender MSMpEng.exe

Symantec AntiVirus DefWatch.exe

Symantec AntiVirus Rtvscan.exe

Windows Defender MsMpEng.exe

iolo common lib ioloServiceManager.exe

iolo System Mechanic 7 SMSystemAnalyzer.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C:: 20% Defragment your hard drive soon! (Do NOT defrag if SSD!)

````````````````````End of Log``````````````````````

***********************************

FSS

------------

Farbar Service Scanner Version: 20-02-2013

Ran by Owner (administrator) on 20-02-2013 at 11:21:06

Running from "C:\Documents and Settings\Owner\Desktop"

Microsoft Windows XP Service Pack 3 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo IP is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Security Center:

============

Windows Update:

============

Windows Autoupdate Disabled Policy:

============================

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit

C:\WINDOWS\system32\netman.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\srsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit

C:\WINDOWS\system32\wscsvc.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\wuauserv.dll

[2005-04-13 10:16] - [2008-04-13 17:12] - 0006656 ____A (Microsoft Corporation) 35321FB577CDC98CE3EB3A3EB9E4610A

C:\WINDOWS\system32\qmgr.dll => MD5 is legit

C:\WINDOWS\system32\es.dll => MD5 is legit

C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit

C:\WINDOWS\system32\svchost.exe => MD5 is legit

C:\WINDOWS\system32\rpcss.dll => MD5 is legit

C:\WINDOWS\system32\services.exe

[2005-04-13 09:56] - [2009-02-06 04:11] - 0110592 ____A (Microsoft Corporation) 65DF52F5B8B6E9BBD183505225C37315

Extra List:

=======

Gpc(6) IPSec(4) NetBT(5) PSched(7) SYMTDI(8) Tcpip(3)

0x080000000400000001000000020000000300000008000000050000000600000007000000

IpSec Tag value is correct.

**** End of log ****

Share this post


Link to post
Share on other sites
Backdoor trojan warning:

This is a point where you need to decide about whether to make a clean start.

According to the information provided in logs, one or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information, and download and execute files.

You are strongly advised to do the following immediately.

1. Contact your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.

3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.

See this article on creating strong passwords http://www.microsoft.com/security/online-privacy/passwords-create.aspx

* Take any other steps you think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh.

While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions.

Here is some additional information: What Is A Backdoor Trojan? http://www.geekstogo...backdoor-trojan

Danger: Remote Access Trojans http://www.microsoft...o/virusrat.mspx

Consumers – Identity Theft http://www.ftc.gov/b...mers/index.html

When should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451

Rootkits: The Obscure Hacker Attack http://www.microsoft...tip/st1005.mspx

Help: I Got Hacked. Now What Do I Do? http://www.microsoft...gmt/sm0504.mspx

Help: I Got Hacked. Now What Do I Do? Part II http://www.microsoft...gmt/sm0704.mspx

Microsoft Says Recovery from Malware Becoming Impossible http://www.eweek.com...,1945808,00.asp

Let me know what you decide.

IF you decide to go forward and hunt & attempt to remove what we find, then start with the following:

  • Disable your anti-virus program, How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • Double-Click RogueKiller to start it.
  • Wait until Prescan finishes.
  • On the RogueKiller console, click the Registry tab.
    Put a check next to all of these and uncheck the rest: (if found)
    [HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
    [HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
    [HJPOL] HKCU\[...]\System : DisableCMD (0) -> FOUND
    [HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
    [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
    [HJPOL] HKLM\[...]\System : DisableCMD (0) -> FOUND

  • Then click on Delete on the right hand column under Options.
  • When done, logoff & Restart the system.
  • The log will be found as RKreport
    Copy & Paste the contents into a new reply.

Step 2

Disable your anti-virus program, How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Run the following and post the requested log. Credit Kevinf80 for the following

1. Download Malwarebytes Anti-Rootkit from this link http://www.malwarebytes.org/products/mbar/

2. Unzip the File to a convenient location. (Recommend the Desktop)

3. Open the folder where the contents were unzipped to run mbar.exe

Image1.png

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

mbarwm.png

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

6. The following image opens, select Next.

Image2.png

7. The following image opens, select Update

Image3.png

8. When the Update completes, select Next

Image4.png

9. In the following window ensure "Targets" are ticked. Then select "Scan"

Image5.png

10. If an infection/s is found the "Cleanup Button" to remove threats will be available. A list of infected files will be listed like the following example:

MBAntiRKclean.png

11. Do not select the "Clean up Button" select the "Exit" button, there will be a warning as follows:

MBAntiRKclean1.png

12. Select "Yes" to close down the program. If NO infections were found you will see the following image:

Image6.png

13. Select "Exit" to close down.

14. Copy and paste the two following logs from the mbar folder:

System - log

Mbar - log Date and time of scan will also be shown

Image10.png

Post those two logs in your reply.

Share this post


Link to post
Share on other sites

I guess i may just reformat and reinstall. Fortunately the computer was rarely used so i'm not worried much about ID theft.

I would like to try and save some of my documents from the drive if possible. Do you have any recomendations to do so safely, or is that not an issue?

Also, once i have everything redone, do you have a recommendation for a best single malware/antivirus program? I don't think i'll be able to reinstall NortonAV, unless i repurchase a new copy. It has been years since i installed that and the copy is long gone.

Thank you for all your help

Share this post


Link to post
Share on other sites

You can copy your personal files and documents to Offline media (external drive, CD/DVD) to save your stuff.

Understand that you must "scrub" or Scan all those next time by scanning with your Antivirus & with MBAM =before= you copy them back or even open them.

IF you have no current license for Norton, then by all means do not re-install it.

As to what is best, it's tough to judge. ESET, Kaspersky, and Avira are very good. As is MS Security Essentials.

If cost is a factor, you can consider 1 of the free antivirus apps.

There are good free antivirus programs for non-commercial home use are Avira Free Antivirus and Microsoft Security Essentials

Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

I would suggest you get either MSE or Avira.

The sequence to use when switching antivirus is this:

1) Download AND SAVE the setup program of the new antivirus. (Have it handy).

2) Disconnect pc from internet

3) De-install the old antivirus

4) Make sure to Logoff and Restart Windows fresh.

5) Run setup of new antivirus

6) Logoff and Restart fresh

7) Reconnect to internet

7) start the new A-V, and do an Update run (to make sure it is all current)

Note: you will need to install the new Antivirus immediately after restoring Windows. Do not go on the internet with out.

Besides antivirus, I would really recommend you get the MBAM PRO. The license is only a 1-time cost and the license is good forever.

Should you ever retire your old pc and get a new one, you can transfer the MBAM license to the new system.

Regarding a clean (new) Windows Install:

Before you do that, make sure you have at hand the Windows XP CD and also, a fresh new copy of your antivirus that is downloaded from a clean pc and saved on transportable-media (CD-DVD or clean thumb drive).

When you are at point of re-installing o.s., I'd recommend you have the pc disconnected from internet until after the o.s. is installed, plus the antivirus is fully setup and running.

See Windows XP Clean Installation - Partitioning and Formatting using Windows XP CD by Ramesh Srinivasan, MS-MVP & AumHa VSOP

Also Clean Install Windows by Michael Stevens, MS-MVP

I would urge you to follow the directions very carefully.

You will loose your documents so if you have some to save, offload them to a separate offline media. And later on insure you do a full scan of them by running your antivirus.

NOTE: If XP CD is from a pc manufacturer, and they bundled an AV like McAfee or Norton/Symantec trial versions, immediately de-install those, sice they will be outdated & of no use. Install your antvirus immediately after.

Other security references at Microsoft

4 steps to protect your computer

How to boost your malware defense and protect your PC

I wish you well.

Safer practices & malware prevention

Share this post


Link to post
Share on other sites

I do have another question. It turns out this computer didn't come with an XP install disc. Rather it looks like the system restore is off of the D: partition. Is it safe to wipe/reformat the infected C: partition and restore from D: or is it possible that is infected, too?

Thank you

Share this post


Link to post
Share on other sites

Check with your computer-manufacturer (they all have web-based support sites) and follow their directions for starting the Factory Restore procedure off the hidden partition.

Do not "reformat" on your own. Follow the factory restore sequence.

It is "very rare" to unheard of that the restore partition would be "infected".

I wish you well.

Share this post


Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.