zoot56

Suspicious Behavior

26 posts in this topic

I appreciate any help you can give. I'm not sure what is going on. I think I may be infected with something. I keep getting a repeating error window that pops up that looks like this:

GoogleEarth-Win-Bundle-7.0.3.8542:error

7-Zip: Internal error, code 105.

And my firewall also keeps popping up with a repeating suspicious behavior message that says:

Setup Launcher Unicode is trying to launch C:\WINDOWS\system32\msiexec.exe, or use another program to gain access to privileged resources

I keep telling it to "deny" but it keeps coming back.

My Malwarebytes has been updated but it is not detecting anything. Here is the latest scan:

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

Database version: v2013.04.11.09

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Robert :: METATRON [administrator]

4/11/2013 10:05:40 AM

mbam-log-2013-04-11 (10-05-40).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 259154

Time elapsed: 14 minute(s), 36 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Here is the DDS:

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.17.2

Run by Robert at 11:03:42 on 2013-04-11

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.1802 [GMT -7:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

FW: ZoneAlarm Free Firewall Firewall *Enabled*

.

============== Running Processes ================

.

c:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CheckPoint\ZAForceField\ForceField.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

C:\Program Files\Pure Networks\Network Magic\nmapp.exe

C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Java\jre7\bin\jqs.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Google\Update\Install\{A5AE69A3-4216-49D7-BBB7-66C63692B377}\GoogleEarth-Win-Bundle-7.0.3.8542.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

C:\WINDOWS\system32\svchost.exe -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\svchost.exe -k imgsvc

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll

BHO: SecureBrowsing bho: {7632ABCA-B104-4fbc-9C70-419C4147061B} - c:\program files\m86security secure browsing\SecureBrowsing.dll

BHO: ZoneAlarm Security Engine Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll

TB: M86 Security Secure Browsing: {B99F805C-F0B1-48EA-8C8B-753BFCBED913} - c:\program files\m86security secure browsing\SecureBrowsing.dll

TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [Facebook Update] "c:\documents and settings\robert\local settings\application data\facebook\update\FacebookUpdate.exe" /c /nocrashserver

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"

mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"

mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [Garmin Lifetime Updater] c:\program files\garmin\lifetime updater\GarminLifetime.exe /StartMinimized

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [iSW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctNDgwMzQ0NjAyLUJBKzEtS1YzKzctVDQtRlA5KzYtQkFSOUcrMS1UQjkrMi1GTCs5LUYxME0rNS1YMjAxMCsyLVFJWDErNC1GMTBNMTBEKzE"&"prod=90"&"ver=10.0.1204

mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

uPolicies-Explorer: NoDriveAutoRun = dword:67108863

uPolicies-Explorer: NoDriveTypeAutoRun = dword:323

uPolicies-Explorer: NoDrives = dword:0

mPolicies-Explorer: NoDriveAutoRun = dword:67108863

mPolicies-Explorer: NoDriveTypeAutoRun = dword:323

mPolicies-Explorer: NoDrives = dword:0

mPolicies-Explorer: NoDriveTypeAutoRun = dword:323

mPolicies-Explorer: NoDriveAutoRun = dword:67108863

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

Trusted Zone: clonewarsadventures.com

Trusted Zone: freerealms.com

Trusted Zone: soe.com

Trusted Zone: sony.com

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242920910640

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1340742957406

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

TCP: NameServer = 192.168.0.1

TCP: Interfaces\{EE2BC3A9-D089-42F2-B524-90E2D651376E} : DHCPNameServer = 192.168.0.1

Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\robert\application data\mozilla\firefox\profiles\ige9lf9l.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://search.zonealarm.com/search?Source=Browser&oemCode=ZLN112936925632837-1600&toolbarId=base&affiliateId=1600&Lan=en&utid=941db9ba00000000000000248c444d7d&q={searchTerms}

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\documents and settings\robert\local settings\application data\facebook\video\skype\npFacebookVideoCalling.dll

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll

FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_6_602_180.dll

FF - plugin: c:\windows\system32\npdeployJava1.dll

FF - plugin: c:\windows\system32\npptools.dll

.

---- FIREFOX POLICIES ----

FF - user.js: extensions.zonealarm.rvrtMsg - Click Yes to keep current home page and default search settings, Click No to restore original settings

FF - user.js: extensions.zonealarm.hpOld - hxxp://search.zonealarm.com/?Source=Homepage&oemCode=ZLN112487423416078-1600&toolbarId=base&affiliateId=1600&Lan=en&utid=941db9ba00000000000000248c444d7d

FF - user.js: extensions.zonealarm.hpNew - hxxp://search.zonealarm.com/?Source=Homepage&oemCode=ZLN112487423416078-1600&toolbarId=base&affiliateId=1025&Lan=en&utid=941db9ba00000000000000248c444d7d

FF - user.js: extensions.zonealarm.dspOld - Search By ZoneAlarm

FF - user.js: extensions.zonealarm.dspNew - Search By ZoneAlarm

FF - user.js: extensions.zonealarm.autoRvrt - false

FF - user.js: extensions.zonealarm_i.hmpg - true

FF - user.js: extensions.zonealarm_i.hmpgUrl - hxxp://search.zonealarm.com/?Source=Homepage&oemCode=ZLN112936925632837-1600&toolbarId=base&affiliateId=1600&Lan=en&utid=941db9ba00000000000000248c444d7d

FF - user.js: extensions.zonealarm_i.dfltSrch - true

FF - user.js: extensions.zonealarm.srchPrvdr - Search By ZoneAlarm

FF - user.js: extensions.zonealarm.keyWordUrl - hxxp://search.zonealarm.com/search?Source=Browser&oemCode=ZLN112936925632837-1600&toolbarId=base&affiliateId=1600&Lan=en&utid=941db9ba00000000000000248c444d7d&q={searchTerms}

FF - user.js: extensions.zonealarm_i.dnsErr - true

FF - user.js: extensions.zonealarm_i.newTab - true

FF - user.js: extensions.zonealarm.newTabUrl - hxxp://search.zonealarm.com/?Source=Newtab&oemCode=ZLN112936925632837-1600&toolbarId=base&affiliateId=1600&Lan=en&utid=941db9ba00000000000000248c444d7d

FF - user.js: extensions.zonealarm.tlbrSrchUrl - hxxp://search.zonealarm.com/search?Source=ToolBar&oemCode=ZLN112936925632837-1600&toolbarId=base&affiliateId=1600&Lan=en&utid=941db9ba00000000000000248c444d7d&q=

FF - user.js: extensions.zonealarm.id - 941db9ba00000000000000248c444d7d

FF - user.js: extensions.zonealarm.instlDay - 15469

FF - user.js: extensions.zonealarm.vrsn - 1.5.20.3

FF - user.js: extensions.zonealarm.vrsni - 1.5.20.3

FF - user.js: extensions.zonealarm_i.vrsnTs - 1.5.20.38:00:02

FF - user.js: extensions.zonealarm.prtnrId - checkpoint

FF - user.js: extensions.zonealarm.prdct - zonealarm

FF - user.js: extensions.zonealarm.aflt - 1600

FF - user.js: extensions.zonealarm_i.smplGrp - none

FF - user.js: extensions.zonealarm.tlbrId - base

FF - user.js: extensions.zonealarm.instlRef - ZLN112936925632837-1600

FF - user.js: extensions.zonealarm.dfltLng - en

FF - user.js: extensions.zonealarm.excTlbr - false

FF - user.js: extensions.zonealarm.admin - false

.

============= SERVICES / DRIVERS ===============

.

R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 195296]

R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2012-11-7 527408]

R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2012-4-30 27056]

R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2012-4-30 497320]

R2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe -service --> c:\program files\checkpoint\zonealarm\vsmon.exe -service [?]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 RasMan32;Remote Access Connection Manager ;c:\windows\system32\mscories32.exe --> c:\windows\system32\mscories32.exe [?]

S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-3-29 24064]

.

=============== Created Last 30 ================

.

2013-04-11 03:34:27 7108640 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9c8848e1-bd45-47b5-95c1-013be969aa3c}\mpengine.dll

2013-04-10 02:49:49 7108640 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

2013-03-21 18:21:29 12928 -c----w- c:\windows\system32\dllcache\usb8023x.sys

2013-03-18 05:19:15 143872 ----a-w- c:\windows\system32\javacpl.cpl

2013-03-18 05:19:10 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

.

==================== Find3M ====================

.

2013-04-04 21:50:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-04-02 10:33:22 237088 ------w- c:\windows\system32\MpSigStub.exe

2013-03-18 05:18:57 861088 ----a-w- c:\windows\system32\npdeployJava1.dll

2013-03-18 05:18:57 782240 ----a-w- c:\windows\system32\deployJava1.dll

2013-03-13 09:28:30 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-03-13 09:28:30 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-03-08 08:36:22 293376 ----a-w- c:\windows\system32\winsrv.dll

2013-03-07 01:32:25 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-03-07 00:50:30 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-03-02 02:06:31 916480 ----a-w- c:\windows\system32\wininet.dll

2013-03-02 02:06:30 43520 ----a-w- c:\windows\system32\licmgr10.dll

2013-03-02 02:06:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2013-03-02 01:25:02 1867264 ----a-w- c:\windows\system32\win32k.sys

2013-03-02 01:08:47 385024 ----a-w- c:\windows\system32\html.iec

2013-02-27 07:56:51 2067456 ----a-w- c:\windows\system32\mstscax.dll

2013-02-12 00:32:23 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys

2013-01-26 03:55:44 552448 ----a-w- c:\windows\system32\oleaut32.dll

2013-01-20 23:59:04 195296 ----a-w- c:\windows\system32\drivers\MpFilter.sys

2013-01-16 06:19:19 1074560 ----a-w- c:\windows\system32\nvdrsdb0.bin

2013-01-16 06:19:19 1 ----a-w- c:\windows\system32\nvdrssel.bin

2013-01-16 06:19:15 1074560 ----a-w- c:\windows\system32\nvdrsdb1.bin

2010-09-01 23:33:49 83968 ----a-w- c:\program files\remover.exe

.

============= FINISH: 11:04:33.39 ===============

Here is the Attach:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 5/20/2009 3:59:49 PM

System Uptime: 4/9/2013 8:22:33 PM (39 hours ago)

.

Motherboard: ASUSTeK Computer INC. | | M3N72-D

Processor: AMD Phenom™ 9650 Quad-Core Processor | Socket AM2 | 2299/200mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 466 GiB total, 203.374 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

Adobe AIR

Adobe Flash Player 11 Plugin

Adobe Reader X (10.1.6)

Age of Empires III

Age of Empires III - The Asian Dynasties

Age of Empires III - The WarChiefs

AiO_Scan_CDA

AiOSoftwareNPI

Amazon Kindle

AMD Processor Driver

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Army Builder 3.3b

Bonjour

BufferChm

Citrix XenApp Web Plugin

Compatibility Pack for the 2007 Office system

Coupon Printer for Windows

Destinations

DeviceManagementQFolder

DocProc

DocProcQFolder

DVD Suite

ESET Online Scanner v3

eSupportQFolder

EverQuest

F300

F300_Help

Facebook Video Calling 1.2.0.287

Fax_CDA

Garmin Communicator Plugin

Garmin Lifetime Updater

Garmin USB Drivers

Google Earth

Google Update Helper

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB2570791)

Hotfix for Windows XP (KB2633952)

Hotfix for Windows XP (KB2756822)

Hotfix for Windows XP (KB2779562)

HP Imaging Device Functions 7.0

HP Photosmart Essential

HP Photosmart, Officejet and Deskjet 7.0.A

HP Solution Center 7.0

HPPhotoSmartExpress

HPProductAssistant

Image Plugin

InstantShareDevicesMFC

iTunes

Java 7 Update 17

Java Auto Updater

JavaFX 2.1.1

M86Security Secure Browsing

Malwarebytes Anti-Malware version 1.75.0.1300

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2698023)

Microsoft .NET Framework 1.1 Security Update (KB2742597)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft Application Error Reporting

Microsoft Base Smart Card Cryptographic Service Provider Package

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Office File Validation Add-In

Microsoft Office Publisher 2003

Microsoft Office Standard Edition 2003

Microsoft Security Client

Microsoft Security Essentials

Microsoft Silverlight

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Windows Media Video 9 VCM

Microsoft WSE 3.0 Runtime

MobileMe Control Panel

Mozilla Firefox 19.0.2 (x86 en-US)

Mozilla Maintenance Service

MSN

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Nero 7 Essentials

neroxml

Network Magic

NewCopy_CDA

NVIDIA Control Panel 310.90

NVIDIA Drivers

NVIDIA Graphics Driver 310.90

NVIDIA HD Audio Driver 1.3.18.0

NVIDIA Install Application

NVIDIA nView 136.53

NVIDIA nView Desktop Manager

NVIDIA PhysX

NVIDIA PhysX System Software 9.12.1031

NVIDIA Update 1.11.3

NVIDIA Update Components

OCR Software by I.R.I.S 7.0

Picasa 3

PowerDVD

PowerISO

ProductContextNPI

Pure Networks Platform

QuickTime

Readme

Realtek High Definition Audio Driver

RIFT

Safari

Scan

ScannerCopy

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)

Security Update for Microsoft Windows (KB2564958)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2530548)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2559049)

Security Update for Windows Internet Explorer 8 (KB2586448)

Security Update for Windows Internet Explorer 8 (KB2618444)

Security Update for Windows Internet Explorer 8 (KB2647516)

Security Update for Windows Internet Explorer 8 (KB2675157)

Security Update for Windows Internet Explorer 8 (KB2699988)

Security Update for Windows Internet Explorer 8 (KB2722913)

Security Update for Windows Internet Explorer 8 (KB2744842)

Security Update for Windows Internet Explorer 8 (KB2761465)

Security Update for Windows Internet Explorer 8 (KB2792100)

Security Update for Windows Internet Explorer 8 (KB2797052)

Security Update for Windows Internet Explorer 8 (KB2799329)

Security Update for Windows Internet Explorer 8 (KB2809289)

Security Update for Windows Internet Explorer 8 (KB2817183)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2536276)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2555917)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567053)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2584146)

Security Update for Windows XP (KB2585542)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB2598479)

Security Update for Windows XP (KB2603381)

Security Update for Windows XP (KB2618451)

Security Update for Windows XP (KB2619339)

Security Update for Windows XP (KB2620712)

Security Update for Windows XP (KB2621440)

Security Update for Windows XP (KB2624667)

Security Update for Windows XP (KB2631813)

Security Update for Windows XP (KB2633171)

Security Update for Windows XP (KB2639417)

Security Update for Windows XP (KB2641653)

Security Update for Windows XP (KB2646524)

Security Update for Windows XP (KB2647518)

Security Update for Windows XP (KB2653956)

Security Update for Windows XP (KB2655992)

Security Update for Windows XP (KB2659262)

Security Update for Windows XP (KB2660465)

Security Update for Windows XP (KB2661637)

Security Update for Windows XP (KB2676562)

Security Update for Windows XP (KB2685939)

Security Update for Windows XP (KB2686509)

Security Update for Windows XP (KB2691442)

Security Update for Windows XP (KB2695962)

Security Update for Windows XP (KB2698365)

Security Update for Windows XP (KB2705219)

Security Update for Windows XP (KB2707511)

Security Update for Windows XP (KB2709162)

Security Update for Windows XP (KB2712808)

Security Update for Windows XP (KB2718523)

Security Update for Windows XP (KB2719985)

Security Update for Windows XP (KB2723135)

Security Update for Windows XP (KB2724197)

Security Update for Windows XP (KB2727528)

Security Update for Windows XP (KB2731847)

Security Update for Windows XP (KB2753842-v2)

Security Update for Windows XP (KB2753842)

Security Update for Windows XP (KB2757638)

Security Update for Windows XP (KB2758857)

Security Update for Windows XP (KB2761226)

Security Update for Windows XP (KB2770660)

Security Update for Windows XP (KB2778344)

Security Update for Windows XP (KB2779030)

Security Update for Windows XP (KB2780091)

Security Update for Windows XP (KB2799494)

Security Update for Windows XP (KB2802968)

Security Update for Windows XP (KB2807986)

Security Update for Windows XP (KB2808735)

Security Update for Windows XP (KB2813170)

Security Update for Windows XP (KB2813345)

Security Update for Windows XP (KB2820917)

Sid Meier's Civilization 4

Sid Meier's Civilization 4 - Beyond the Sword

Sid Meier's Civilization 4 - Warlords

SimCity 4 Deluxe

SolutionCenter

Spelling Dictionaries Support For Adobe Reader 9

Status

The Sims 2

The Sims™ 3

Toolbox

TrayApp

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Windows Internet Explorer 8 (KB2632503)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows XP (KB2492386)

Update for Windows XP (KB2541763)

Update for Windows XP (KB2607712)

Update for Windows XP (KB2616676)

Update for Windows XP (KB2641690)

Update for Windows XP (KB2661254-v2)

Update for Windows XP (KB2718704)

Update for Windows XP (KB2736233)

Update for Windows XP (KB2749655)

Update for Windows XP (KB971029)

VC 9.0 Runtime

Ventrilo Client

Ventrilo Server

VLC media player 1.0.5

Warcraft III

Warhammer Online - Age of Reckoning

WebFldrs XP

WebReg

Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)

Windows Internet Explorer 8

Windows Live OneCare safety scanner

Windows Media Format 11 runtime

Windows Media Player 11

WinRAR archiver

World of Warcraft

Xfire (remove only)

Yahoo! Detect

ZoneAlarm Firewall

ZoneAlarm Free Firewall

ZoneAlarm LTD Toolbar

ZoneAlarm Security

.

==== End Of File ===========================

Thank you for your help!

Share this post


Link to post
Share on other sites

Hi zoot56,

Welcome to Malwarebytes Forum

My name is Tomk1. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.

The fixes are specific to your problem and should only be used for the issues on this machine.

Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.

It's often worth reading through these instructions and printing them for ease of reference.

If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.

Please reply to this thread. Do not start a new topic.

Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, feel free to create a new one.

Let's do a couple of things:

AdwCleaner

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.

Then

  • Download RogueKiller and save it to your desktop.
  • Quit all other programs
  • Start RogueKiller.exe
  • Wait until the Prescan has finished ...
  • Click on Scan
    RGKRScan.png
  • Wait for the end of the scan
  • A report will be created on your desktop.
  • Click on the Delete button
    RGKRDelete.png
  • Next click on the ShortcutsFix
    RGKRShortcutsFix.png
  • another report will be created on your desktop.

Please post: All RKreport.txt text files located on your desktop.

Share this post


Link to post
Share on other sites

In addition to these reports, roguekiller made two files on my desktop called "RK_Quarentine" and ".picasaoriginals". What do I do with those?

# AdwCleaner v2.200 - Logfile created 04/11/2013 at 12:46:22

# Updated 02/04/2013 by Xplode

# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)

# User : Robert - METATRON

# Boot Mode : Normal

# Running from : C:\Documents and Settings\Robert\My Documents\Downloads\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

File Deleted : C:\DOCUME~1\Robert\LOCALS~1\Temp\Uninstall.exe

File Deleted : C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\ige9lf9l.default\searchplugins\zonealarm.xml

File Deleted : C:\user.js

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v19.0.2 (en-US)

File : C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\ige9lf9l.default\prefs.js

C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\ige9lf9l.default\user.js ... Deleted !

[OK] File is clean.

*************************

AdwCleaner[s1].txt - [1617 octets] - [11/04/2013 12:46:22]

########## EOF - C:\AdwCleaner[s1].txt - [1677 octets] ##########

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : Robert [Admin rights]

Mode : Scan -- Date : 04/11/2013 12:56:47

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤

[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000AAKS-00A7B2 +++++

--- User ---

[MBR] 939f19ba167ed9e3214caba0c930aa92

[bSP] 624ba18a9061ea14c4a0a395eb9a19a0 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_04112013_02d1256.txt >>

RKreport[1]_S_04112013_02d1256.txt

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : Robert [Admin rights]

Mode : Remove -- Date : 04/11/2013 12:57:46

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤

[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> DELETED

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED

[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> REPLACED (0)

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000AAKS-00A7B2 +++++

--- User ---

[MBR] 939f19ba167ed9e3214caba0c930aa92

[bSP] 624ba18a9061ea14c4a0a395eb9a19a0 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[2]_D_04112013_02d1257.txt >>

RKreport[1]_S_04112013_02d1256.txt ; RKreport[2]_D_04112013_02d1257.txt

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : Robert [Admin rights]

Mode : Shortcuts HJfix -- Date : 04/11/2013 13:02:18

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤

Desktop: Success 2 / Fail 0

Quick launch: Success 0 / Fail 0

Programs: Success 3 / Fail 0

Start menu: Success 4 / Fail 0

User folder: Success 1169 / Fail 0

My documents: Success 201 / Fail 201

My favorites: Success 0 / Fail 0

My pictures: Success 0 / Fail 0

My music: Success 0 / Fail 0

My videos: Success 0 / Fail 0

Local drives: Success 276 / Fail 0

Backup: [NOT FOUND]

Drives:

[A:] \Device\Floppy0 -- 0x2 --> Skipped

[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored

[D:] \Device\CdRom0 -- 0x5 --> Skipped

Finished : << RKreport[3]_SC_04112013_02d1302.txt >>

RKreport[1]_S_04112013_02d1256.txt ; RKreport[2]_D_04112013_02d1257.txt ; RKreport[3]_SC_04112013_02d1302.txt

Share this post


Link to post
Share on other sites

RK_Quarentine is where the "bad" files that RogueKiller removed are stored.

.picasaoriginals has nothing to do with the tools you ran. It has always been there... it was just hidden. We changed your settings to "show hidden files" so we can see what is hiding. :)

OK... another tool

Download ComboFix:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://forums.whatth...ams_t96260.html
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Share this post


Link to post
Share on other sites

ComboFix 13-04-11.01 - Robert 04/11/2013 23:55:43.8.4 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.1978 [GMT -7:00]

Running from: c:\documents and settings\Robert\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

FW: ZoneAlarm Free Firewall Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\URTTemp

c:\windows\system32\URTTemp\fusion.dll

c:\windows\system32\URTTemp\mscoree.dll

c:\windows\system32\URTTemp\mscoree.dll.local

c:\windows\system32\URTTemp\mscorsn.dll

c:\windows\system32\URTTemp\mscorwks.dll

c:\windows\system32\URTTemp\msvcr71.dll

c:\windows\system32\URTTemp\regtlib.exe

.

.

((((((((((((((((((((((((( Files Created from 2013-03-12 to 2013-04-12 )))))))))))))))))))))))))))))))

.

.

2013-04-12 05:41 . 2013-04-12 05:41 26520 ----a-w- c:\program files\Mozilla Firefox\updated\plugin-hang-ui.exe

2013-04-11 19:49 . 2013-04-11 19:49 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9C8848E1-BD45-47B5-95C1-013BE969AA3C}\MpKsl9fa00f3a.sys

2013-04-11 03:34 . 2013-03-15 07:21 7108640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9C8848E1-BD45-47B5-95C1-013BE969AA3C}\mpengine.dll

2013-04-10 02:49 . 2013-03-15 07:21 7108640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-03-21 18:21 . 2013-02-12 00:32 12928 -c----w- c:\windows\system32\dllcache\usb8023x.sys

2013-03-18 05:19 . 2013-03-18 05:18 143872 ----a-w- c:\windows\system32\javacpl.cpl

2013-03-18 05:19 . 2013-03-18 05:19 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-04-04 21:50 . 2010-02-28 00:48 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-04-02 10:33 . 2010-12-31 06:17 237088 ------w- c:\windows\system32\MpSigStub.exe

2013-03-18 05:18 . 2012-05-09 03:45 861088 ----a-w- c:\windows\system32\npdeployJava1.dll

2013-03-18 05:18 . 2011-08-23 00:50 782240 ----a-w- c:\windows\system32\deployJava1.dll

2013-03-13 09:28 . 2012-06-26 20:25 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-03-13 09:28 . 2012-06-26 20:25 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-03-08 08:36 . 2008-04-14 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll

2013-03-07 01:32 . 2008-04-14 12:00 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-03-07 00:50 . 2008-04-14 00:01 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-03-02 02:06 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2013-03-02 02:06 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2013-03-02 02:06 . 2008-04-14 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2013-03-02 01:25 . 2008-04-14 12:00 1867264 ----a-w- c:\windows\system32\win32k.sys

2013-03-02 01:08 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec

2013-02-27 07:56 . 2009-05-20 22:55 2067456 ----a-w- c:\windows\system32\mstscax.dll

2013-02-12 00:32 . 2008-04-14 12:00 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys

2013-01-26 03:55 . 2008-04-14 12:00 552448 ----a-w- c:\windows\system32\oleaut32.dll

2013-01-20 23:59 . 2011-04-18 20:18 195296 ----a-w- c:\windows\system32\drivers\MpFilter.sys

2010-09-01 23:33 . 2010-12-31 23:11 83968 ----a-w- c:\program files\remover.exe

2013-03-13 06:37 . 2013-02-20 18:34 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Facebook Update"="c:\documents and settings\Robert\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" [2013-01-31 138096]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2008-11-17 17676288]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]

"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-22 451896]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]

"Garmin Lifetime Updater"="c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe" [2011-10-03 1409384]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]

"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-11-08 73392]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]

"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2012-11-02 738984]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-12-29 15635896]

"NvMediaCenter"="NvMCTray.dll" [2012-12-29 108984]

"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-12-29 1982312]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg&inst=NzctNDgwMzQ0NjAyLUJBKzEtS1YzKzctVDQtRlA5KzYtQkFSOUcrMS1UQjkrMi1GTCs5LUYxME0rNS1YMjAxMCsyLVFJWDErNC1GMTBNMTBEKzE∏=90&ver=10.0.1204" [?]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=

"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=

"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=

"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=

"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=

"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=

"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

"c:\\Program Files\\Army Builder\\ArmyBuilder.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=

"c:\\Documents and Settings\\Robert\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"67:UDP"= 67:UDP:DHCP Discovery Service

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"3074:TCP"= 3074:TCP:*:Disabled:xbox live

"3074:UDP"= 3074:UDP:*:Disabled:xbox live

"6112:TCP"= 6112:TCP:Blizzard Downloader: 6112

.

R1 MpKsl9fa00f3a;MpKsl9fa00f3a;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9C8848E1-BD45-47B5-95C1-013BE969AA3C}\MpKsl9fa00f3a.sys [4/11/2013 12:49 PM 29904]

R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [4/30/2012 12:05 PM 27056]

R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [4/30/2012 12:05 PM 497320]

S2 RasMan32;Remote Access Connection Manager ;c:\windows\system32\mscories32.exe --> c:\windows\system32\mscories32.exe [?]

S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [3/29/2012 9:49 PM 24064]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MPKSL9FA00F3A

*NewlyCreated* - TRUESIGHT

*Deregistered* - TrueSight

.

Contents of the 'Scheduled Tasks' folder

.

2013-04-12 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-27 09:28]

.

2013-04-11 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 19:34]

.

2013-04-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1454471165-1614895754-1801674531-1004Core.job

- c:\documents and settings\Robert\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2013-01-31 15:26]

.

2013-04-12 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1454471165-1614895754-1801674531-1004UA.job

- c:\documents and settings\Robert\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2013-01-31 15:26]

.

2013-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 03:43]

.

2013-04-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 03:43]

.

2013-04-11 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job

- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-01-27 19:11]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: alaskausa.org\ultrabranch

Trusted Zone: alaskausa.org\www

Trusted Zone: amazon.com\www

Trusted Zone: aol.com\mail

Trusted Zone: aol.com\my.screenname

Trusted Zone: bankofamerica.com\safe

Trusted Zone: bankofamerica.com\www

Trusted Zone: chase.com\chaseonline

Trusted Zone: clonewarsadventures.com

Trusted Zone: facebook.com\apps

Trusted Zone: facebook.com\www

Trusted Zone: freerealms.com

Trusted Zone: games-workshop.com\www

Trusted Zone: kingcounty.gov\www

Trusted Zone: live.com\login

Trusted Zone: malwarebytes.org\forums

Trusted Zone: microsoft.com\*.update

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\windowsupdate

Trusted Zone: netflix.com\movies

Trusted Zone: netflix.com\signup

Trusted Zone: soe.com

Trusted Zone: sony.com

Trusted Zone: wa.gov\fortress

Trusted Zone: wccnet.edu\blackboard9

Trusted Zone: wednet.edu\mail.auburn

Trusted Zone: windowsupdate.com\download

Trusted Zone: windowsupdate.com\www

Trusted Zone: wm.com\www

Trusted Zone: youtube.com\www

TCP: DhcpNameServer = 192.168.0.1

FF - ProfilePath - c:\documents and settings\Robert\Application Data\Mozilla\Firefox\Profiles\ige9lf9l.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://search.zonealarm.com/search?Source=Browser&oemCode=ZLN112936925632837-1600&toolbarId=base&affiliateId=1600&Lan=en&utid=941db9ba00000000000000248c444d7d&q={searchTerms}

FF - prefs.js: network.proxy.type - 0

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-04-12 00:10

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1454471165-1614895754-1801674531-1004\Software\SecuROM\License information*]

"datasecu"=hex:ee,39,e6,33,9f,d3,4f,13,28,be,73,7f,d9,dd,64,be,8d,e0,f8,c2,54,

4e,ea,d8,56,32,97,6b,e9,3d,40,aa,2d,e2,53,01,79,76,81,af,cf,06,23,b4,d5,a0,\

"rkeysecu"=hex:3f,f5,91,b9,bf,e0,d1,30,e8,f4,28,b5,04,e4,ca,b2

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(928)

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

.

- - - - - - - > 'lsass.exe'(984)

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

.

Completion time: 2013-04-12 00:11:57

ComboFix-quarantined-files.txt 2013-04-12 07:11

ComboFix2.txt 2012-05-14 03:50

.

Pre-Run: 219,084,001,280 bytes free

Post-Run: 219,606,740,992 bytes free

.

- - End Of File - - 187F347A86553FA5BEE0292D64341559

Share this post


Link to post
Share on other sites

You have a lot of items in your trusted zone. Anything placed here is more "dangerous" to your system as because you say it is trusted... it won't be "scrutinized" as much. I would remove everything from the trusted zone unless I absolutely had to place it there (and really trusted it). There is no chance that I would call facebook a trusted zone!!!

Let's get an online scan:

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here then click on: EOLS1.gif
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:


    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

    [*]Now click on: EOLS3.gif

    [*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

    [*]When completed the Online Scan will begin automatically.

    [*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

    [*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

    [*]Now click on: EOLS4.gif

    [*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

    [*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Also please update me as to how your system seems to be running now.

Share this post


Link to post
Share on other sites

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=18fc5ae4eb0b2c499fc6b250cb676f56

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2012-05-14 05:45:42

# local_time=2012-05-13 10:45:42 (-0800, Pacific Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=5891 16776869 42 93 0 3748827 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# compatibility_mode=9217 16776894 75 4 0 0 0 0

# scanned=140645

# found=0

# cleaned=0

# scan_time=2482

ESETSmartInstaller@High as downloader log:

all ok

# version=8

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6920

# api_version=3.0.2

# EOSSerial=18fc5ae4eb0b2c499fc6b250cb676f56

# engine=13607

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2013-04-12 05:12:13

# local_time=2013-04-12 10:12:13 (-0800, Pacific Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=5892 16777213 88 94 2419997 16573623 0 0

# compatibility_mode=9217 16776894 75 4 8976944 8976944 0 0

# scanned=150875

# found=1

# cleaned=0

# scan_time=4223

sh=FF19868F60E16DE4359F0FB3C947009949CC374A ft=0 fh=0000000000000000 vn="Win32/PSWTool.KonBoot.A application" ac=I fn="C:\Documents and Settings\Robert\My Documents\FIX\HBCD\Hiren's.BootCD.13.0.iso"

Share this post


Link to post
Share on other sites

Nothing of consequence there. Hirens was flagged because it can be used for malicious intent... specifically it is flagged because it can be used to view your windows password. It appears that you purposefully downloaded the .iso yourself so I doubt if it is being used maliciously.

How do things seem to be running now?

Share this post


Link to post
Share on other sites

I don't know what Hiren's is or an iso. How do I know if I downloaded it? What is "Win32/PSWTool.KonBoot.A application"?

The firewall is still popping up with the suspicious behavior warning: Setup Launcher Unicode is trying to launch C:\WINDOWS\system32\msiexec.exe, or use another program to gain access to privileged resources. When I click on more info it says:

Application:

C\WINDOWS\system32\config\systemprofile\LocalSettings\temp\._MSIGE61\GOOGLEEARTH.EXE

Share this post


Link to post
Share on other sites

msiexec.exe is the microsoft installer. It is what most windows programs use to install

GOOGLEEARTH.EXE is the installation program for Google Earth. It is trying to install Google Earth and it uses msiexec.exe to do it. Do you want to install Google Earth?

Win32/PSWTool.KonBoot.A application is the name of the warning. the Win32 tells you that it effects 32 bit systems (but can effect 64 bit also) if it said Win64 it could only effect the 64 bit portion of the operating system. Yours is a 32 bit only system. PSWTool tells you the family. In this case it means password tool. KonBoot is the routine in the program that can be used to manipulate the password. The A is just the identifier. Typically the first instance would be A then the next one would be B and so on.

The Hirens .iso is an image that can be burned to a CD that will allow you to boot your computer from a CD that will allow you to operate in a PE environment. It is similiar to booting from a linux boot CD except it is a windows environment... but not the operating system that is on your harddrive that you normally operate from. More about it can be found here: http://en.wikipedia....ren%27s_BootCD. It really doesn't do anything for/to you unless you burn it on a CD and boot from it.

It sounds like you did not download it. Therefore we can remove it.

Also, let me know about Google earth and we can make it stop trying to install.

Share this post


Link to post
Share on other sites

Yeah I'm pretty sure I didn't download anything called Hirens so we should probably remove it.

And I already have google earth installed and i haven't touched it in ages so it seems strange that it would be trying to install.

Share this post


Link to post
Share on other sites

COMBOFIX-Script

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    File::
    C\WINDOWS\system32\config\systemprofile\LocalSettings\temp\._MSIGE61\GOOGLEEARTH.EXE

    Folder::
    C:\Documents and Settings\Robert\My Documents\FIX\HBCD

    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3724:TCP"=-
    "6112:TCP"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"=-

    Clearjavacache::


  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
    CFScriptB-4.gif
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Then also let me know if you are still flashing the errors. If you are... then please run this tool:

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxe:

  • List last 10 Event Viewer log

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Share this post


Link to post
Share on other sites

The combofix prompted to update when I ran it so I said ok. I hope that was ok. Here is the log. I will wait and see if I am still getting the errors and run the minitoolbox if I am.

ComboFix 13-04-14.01 - Robert 04/14/2013 14:13:49.9.4 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2252 [GMT -7:00]

Running from: c:\documents and settings\Robert\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Robert\Desktop\CFScript.txt

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

FW: ZoneAlarm Free Firewall Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Robert\My Documents\FIX\HBCD

c:\documents and settings\Robert\My Documents\FIX\HBCD\BurnCDCC.exe

c:\documents and settings\Robert\My Documents\FIX\HBCD\BurnToCD.cmd

c:\documents and settings\Robert\My Documents\FIX\HBCD\DefaultKeyboardPatch.zip

c:\documents and settings\Robert\My Documents\FIX\HBCD\DefaultKeyboardPatch\data.dat

c:\documents and settings\Robert\My Documents\FIX\HBCD\DefaultKeyboardPatch\Patch.cmd

c:\documents and settings\Robert\My Documents\FIX\HBCD\DefaultKeyboardPatch\PatchInfo.txt

c:\documents and settings\Robert\My Documents\FIX\HBCD\HBCD.txt

c:\documents and settings\Robert\My Documents\FIX\HBCD\HBCDCustomizer.exe

c:\documents and settings\Robert\My Documents\FIX\HBCD\Hiren's.BootCD.13.0.iso

.

.

((((((((((((((((((((((((( Files Created from 2013-03-14 to 2013-04-14 )))))))))))))))))))))))))))))))

.

.

2013-04-14 19:59 . 2013-03-15 07:21 7108640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8003AC02-9551-47EC-9726-3E526A42B6E3}\mpengine.dll

2013-04-14 09:31 . 2013-03-15 07:21 7108640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-03-21 18:21 . 2013-02-12 00:32 12928 -c----w- c:\windows\system32\dllcache\usb8023x.sys

2013-03-18 05:19 . 2013-03-18 05:18 143872 ----a-w- c:\windows\system32\javacpl.cpl

2013-03-18 05:19 . 2013-03-18 05:19 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-04-04 21:50 . 2010-02-28 00:48 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-04-02 10:33 . 2010-12-31 06:17 237088 ------w- c:\windows\system32\MpSigStub.exe

2013-03-18 05:18 . 2012-05-09 03:45 861088 ----a-w- c:\windows\system32\npdeployJava1.dll

2013-03-18 05:18 . 2011-08-23 00:50 782240 ----a-w- c:\windows\system32\deployJava1.dll

2013-03-13 09:28 . 2012-06-26 20:25 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-03-13 09:28 . 2012-06-26 20:25 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-03-08 08:36 . 2008-04-14 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll

2013-03-07 01:32 . 2008-04-14 12:00 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-03-07 00:50 . 2008-04-14 00:01 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-03-02 02:06 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2013-03-02 02:06 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2013-03-02 02:06 . 2008-04-14 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2013-03-02 01:25 . 2008-04-14 12:00 1867264 ----a-w- c:\windows\system32\win32k.sys

2013-03-02 01:08 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec

2013-02-27 07:56 . 2009-05-20 22:55 2067456 ----a-w- c:\windows\system32\mstscax.dll

2013-02-12 00:32 . 2008-04-14 12:00 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys

2013-01-26 03:55 . 2008-04-14 12:00 552448 ----a-w- c:\windows\system32\oleaut32.dll

2013-01-20 23:59 . 2011-04-18 20:18 195296 ----a-w- c:\windows\system32\drivers\MpFilter.sys

2010-09-01 23:33 . 2010-12-31 23:11 83968 ----a-w- c:\program files\remover.exe

2013-04-12 05:41 . 2013-04-12 05:40 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Facebook Update"="c:\documents and settings\Robert\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" [2013-01-31 138096]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2008-11-17 17676288]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]

"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-22 451896]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]

"Garmin Lifetime Updater"="c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe" [2011-10-03 1409384]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]

"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-11-08 73392]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]

"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2012-11-02 738984]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-12-29 15635896]

"NvMediaCenter"="NvMCTray.dll" [2012-12-29 108984]

"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-12-29 1982312]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=

"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=

"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=

"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=

"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=

"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=

"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

"c:\\Program Files\\Army Builder\\ArmyBuilder.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=

"c:\\Documents and Settings\\Robert\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"67:UDP"= 67:UDP:DHCP Discovery Service

"3074:TCP"= 3074:TCP:*:Disabled:xbox live

"3074:UDP"= 3074:UDP:*:Disabled:xbox live

.

R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [4/30/2012 12:05 PM 27056]

R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [4/30/2012 12:05 PM 497320]

S2 RasMan32;Remote Access Connection Manager ;c:\windows\system32\mscories32.exe --> c:\windows\system32\mscories32.exe [?]

S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [3/29/2012 9:49 PM 24064]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MPKSL9FA00F3A

*NewlyCreated* - TRUESIGHT

*Deregistered* - MpKsl9fa00f3a

*Deregistered* - TrueSight

.

Contents of the 'Scheduled Tasks' folder

.

2013-04-14 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-27 09:28]

.

2013-04-11 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 19:34]

.

2013-04-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1454471165-1614895754-1801674531-1004Core.job

- c:\documents and settings\Robert\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2013-01-31 15:26]

.

2013-04-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1454471165-1614895754-1801674531-1004UA.job

- c:\documents and settings\Robert\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2013-01-31 15:26]

.

2013-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 03:43]

.

2013-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 03:43]

.

2013-04-14 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job

- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-01-27 19:11]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.0.1

FF - ProfilePath - c:\documents and settings\Robert\Application Data\Mozilla\Firefox\Profiles\ige9lf9l.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://search.zonealarm.com/search?Source=Browser&oemCode=ZLN112936925632837-1600&toolbarId=base&affiliateId=1600&Lan=en&utid=941db9ba00000000000000248c444d7d&q={searchTerms}

FF - prefs.js: network.proxy.type - 0

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-04-14 14:22

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1454471165-1614895754-1801674531-1004\Software\SecuROM\License information*]

"datasecu"=hex:ee,39,e6,33,9f,d3,4f,13,28,be,73,7f,d9,dd,64,be,8d,e0,f8,c2,54,

4e,ea,d8,56,32,97,6b,e9,3d,40,aa,2d,e2,53,01,79,76,81,af,cf,06,23,b4,d5,a0,\

"rkeysecu"=hex:3f,f5,91,b9,bf,e0,d1,30,e8,f4,28,b5,04,e4,ca,b2

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(928)

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

.

- - - - - - - > 'lsass.exe'(984)

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

.

Completion time: 2013-04-14 14:24:02

ComboFix-quarantined-files.txt 2013-04-14 21:23

ComboFix2.txt 2013-04-12 07:11

ComboFix3.txt 2012-05-14 03:50

.

Pre-Run: 219,274,387,456 bytes free

Post-Run: 219,451,011,072 bytes free

.

- - End Of File - - 9E25D12DB5BDF07BABA60ABB2ECF2580

Share this post


Link to post
Share on other sites

Still getting the error messages.

MiniToolBox by Farbar Version:05-03-2013

Ran by Robert (administrator) on 15-04-2013 at 16:16:31

Running from "C:\Documents and Settings\Robert\Desktop"

Microsoft Windows XP Service Pack 3 (X86)

Boot Mode: Normal

***************************************************************************

========================= Event log errors: ===============================

Application errors:

==================

Error: (04/14/2013 02:09:54 PM) (Source: MPSampleSubmission) (User: )

Description: EventType mptelemetry, P1 unspecified, P2 hardeningtelemetry, P3 hardeningtelemetrydisablertp, P4 4.2.223.0, P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (04/12/2013 08:28:36 AM) (Source: MPSampleSubmission) (User: )

Description: EventType mptelemetry, P1 unspecified, P2 hardeningtelemetry, P3 hardeningtelemetrydisablertp, P4 4.2.223.0, P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (04/11/2013 11:53:05 PM) (Source: MPSampleSubmission) (User: )

Description: EventType mptelemetry, P1 unspecified, P2 hardeningtelemetry, P3 hardeningtelemetrydisablertp, P4 4.2.223.0, P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (04/10/2013 08:43:39 AM) (Source: Bonjour Service) (User: )

Description: SendWakeupPacket error: sent -1 bytes: 10004

Error: (04/10/2013 08:43:39 AM) (Source: Bonjour Service) (User: )

Description: SendWakeupPacket error: sent -1 bytes: 10004

Error: (04/10/2013 08:43:38 AM) (Source: Bonjour Service) (User: )

Description: ERROR: handle_resolve_request bad interfaceIndex 24

Error: (04/10/2013 08:43:38 AM) (Source: Bonjour Service) (User: )

Description: ERROR: handle_resolve_request bad interfaceIndex 23

Error: (04/10/2013 08:43:38 AM) (Source: Bonjour Service) (User: )

Description: ERROR: handle_resolve_request bad interfaceIndex 22

Error: (04/10/2013 08:43:38 AM) (Source: Bonjour Service) (User: )

Description: ERROR: handle_resolve_request bad interfaceIndex 21

Error: (04/10/2013 08:43:38 AM) (Source: Bonjour Service) (User: )

Description: ERROR: handle_resolve_request bad interfaceIndex 20

System errors:

=============

Error: (04/14/2013 02:19:14 PM) (Source: Service Control Manager) (User: )

Description: The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (04/14/2013 02:13:29 PM) (Source: Service Control Manager) (User: )

Description: The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (04/14/2013 02:12:02 PM) (Source: Service Control Manager) (User: )

Description: The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (04/11/2013 11:57:59 PM) (Source: Service Control Manager) (User: )

Description: The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (04/11/2013 11:55:33 PM) (Source: Service Control Manager) (User: )

Description: The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (04/11/2013 11:54:48 PM) (Source: Service Control Manager) (User: )

Description: The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (04/10/2013 08:44:28 AM) (Source: DCOM) (User: METATRON)

Description: The server {2692A9D5-61DF-46D5-A5A1-A6CCA921D578} did not register with DCOM within the required timeout.

Error: (04/06/2013 00:00:34 AM) (Source: DCOM) (User: METATRON)

Description: The server {2692A9D5-61DF-46D5-A5A1-A6CCA921D578} did not register with DCOM within the required timeout.

Error: (03/29/2013 08:18:54 AM) (Source: DCOM) (User: METATRON)

Description: The server {2692A9D5-61DF-46D5-A5A1-A6CCA921D578} did not register with DCOM within the required timeout.

Error: (03/28/2013 03:43:16 PM) (Source: Windows Update Agent) (User: )

Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.147.673.0).

Microsoft Office Sessions:

=========================

Error: (04/14/2013 02:09:54 PM) (Source: MPSampleSubmission)(User: )

Description: mptelemetryunspecifiedhardeningtelemetryhardeningtelemetrydisablertp4.2.223.0unspecifiedunspecifiedunspecifiedNILNILNIL

Error: (04/12/2013 08:28:36 AM) (Source: MPSampleSubmission)(User: )

Description: mptelemetryunspecifiedhardeningtelemetryhardeningtelemetrydisablertp4.2.223.0unspecifiedunspecifiedunspecifiedNILNILNIL

Error: (04/11/2013 11:53:05 PM) (Source: MPSampleSubmission)(User: )

Description: mptelemetryunspecifiedhardeningtelemetryhardeningtelemetrydisablertp4.2.223.0unspecifiedunspecifiedunspecifiedNILNILNIL

Error: (04/10/2013 08:43:39 AM) (Source: Bonjour Service)(User: )

Description: SendWakeupPacket error: sent -1 bytes: 10004

Error: (04/10/2013 08:43:39 AM) (Source: Bonjour Service)(User: )

Description: SendWakeupPacket error: sent -1 bytes: 10004

Error: (04/10/2013 08:43:38 AM) (Source: Bonjour Service)(User: )

Description: ERROR: handle_resolve_request bad interfaceIndex 24

Error: (04/10/2013 08:43:38 AM) (Source: Bonjour Service)(User: )

Description: ERROR: handle_resolve_request bad interfaceIndex 23

Error: (04/10/2013 08:43:38 AM) (Source: Bonjour Service)(User: )

Description: ERROR: handle_resolve_request bad interfaceIndex 22

Error: (04/10/2013 08:43:38 AM) (Source: Bonjour Service)(User: )

Description: ERROR: handle_resolve_request bad interfaceIndex 21

Error: (04/10/2013 08:43:38 AM) (Source: Bonjour Service)(User: )

Description: ERROR: handle_resolve_request bad interfaceIndex 20

**** End of log ****

Share this post


Link to post
Share on other sites

I'm sorry... but I'm not seeing it.

Are you getting the same Google earth and 7-zip errors?

What exactly do the errors say?

I don't see any mention of them in your error logs.

Share this post


Link to post
Share on other sites

Why wont this thing let me post a screen shot? Anyways it says:

GoogleEarth-Win-Bundle-7.0.3.8542:error

7-Zip: Internal error, code 105.

Share this post


Link to post
Share on other sites

These errors both seem to be related to Google Earth. I can find where several people have had the same issue... going back a couple of years. Some have said they resolved the issue by uninstalling Google Earth and then re-installing it fresh - but some of these say the issue returns in a couple days (or weeks). Some have said that they only resolved this after the uninstalled Google Earth... Redownloaded the Goggle Earth installer... shut off their AV and Firewall (specifically if it is a third party firewall like Zone Alarm)... and then reinstalling. I found some who resolved it be deleting the installer file but we already tried that and it apparently didn't work.

I haven't found a consistent resolution. I'll get back to you when I have a realistic theory.

Share this post


Link to post
Share on other sites

Thank you very much I wish this thing would just stop. Should I try any of those things? Has anyone allowed the firewall to let the thing launch?

Share this post


Link to post
Share on other sites

Let's try it. I think it will install without being connected to the internet.

Uninstall Google earth.

Then download the new installer.

Then disconnect your computer from the internet (unplug if wired... shut off wifi if wireless) and then shut off your AV and your firewall (this is why I want you disconnected from the internet because without your AV and firewall you are vulnerable).

Now run the installer (hopefully it will work while disconnected from the net). Once the installer has completed it's job... turn your AV and firewall back on... connect to the internet... and let me know how we did.

Share this post


Link to post
Share on other sites

The installer has to be connected to the internet

Share this post


Link to post
Share on other sites

since i uninstalled google earth the errors have stopped

Share this post


Link to post
Share on other sites

So... what is your current status?

Are you going to reinstall Google Earth?

Share this post


Link to post
Share on other sites

i think not for the moment unless you think its a good idea

Share this post


Link to post
Share on other sites

If it isn't something you need... then I'd ignore it.

Let's clean up our tools:

Time for some housekeeping

  • Click START then RUN

  • Now type ComboFix /Uninstall in the runbox and click OK.
  • Note the space between the X and the U, it needs to be there.
  • Combofix_uninstall_image.jpg

The above procedure will:

  • Implement some cleanup procedures.
  • Reset System Restore.

Now to remove most of the tools that we have used in fixing your machine:

  • Make sure you have an Internet Connection.
  • Download OTC to your desktop and run it
  • A list of tool components used in the cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

If any tools or logs are left, you can just delete them.

Please re-enable any security that was disabled.

The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing.

Please take time to read Preventing Malware - Tools and Practices for Safe Computing. Very important information for your consideration is contained therein.

I would also suggest you read this:

So how did I get infected in the first place?

by Tony Klein

Also: "How to prevent malware"

by miekiemoes

Please respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.