My computer started getting a "runtime 216 at 5003A116" error. It happens when I attempt any explorer.exe function and spybot start center. Looking on the internet, it appears it could be a backdoor trojan(?).

TrendMicro scan shows no virus. ESET also came back with no infections. Kaspersky the same. RogueKiller shows 3 registry entries and 22 SSDT drivers. I have not corrected or deleted them.

I am unable to zip the attach.txt file - explorer.exe not functioning.
Attached are the dds.txt and the aswMBR.log. Please let me know if you would like the unzipped attach.txt.

Am I infected?
Thanks for any help you can provide to me!

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.13.2
Run by Brenda at 8:35:03 on 2013-12-04
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.198 [GMT -5:00]
.
AV: Trend Micro Titanium Internet Security *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Firewall Booster *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\Program Files\Trend Micro\Titanium\plugin\TMAS\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\Brenda\My Documents\Downloads\RogueKiller.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Brenda\My Documents\Downloads\aswMBR.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - c:\program files\trend micro\amsp\module\20004\1.5.1464\6.6.1077\TmIEPlg.dll
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} -
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} -
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: TmBpIeBHO Class: {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
EB: Real.com: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [dlccmon.exe] "c:\program files\dell photo aio printer 924\dlccmon.exe"
mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe"
mRun: [Trend Micro Titanium] c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe -set Silent "1" SplashURL ""
mRun: [OE] "c:\program files\trend micro\titanium\plugin\tmas\tmas_oe\TMAS_OEMon.exe"
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,RunDLLEntry
StartupFolder: c:\docume~1\brenda~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt1\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.0.cab
TCP: NameServer = 192.168.1.254 192.168.1.254
TCP: Interfaces\{87A9F30A-15CF-4635-8B39-9399F6194D80} : DHCPNameServer = 192.168.1.254 192.168.1.254
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\1.5.1464\6.6.1077\TmIEPlg.dll
Notify: igfxcui - igfxdev.dll
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\brenda\application data\mozilla\firefox\profiles\50he170t.default-1347660196861\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?scope=web&mkt=en-US
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\amazon\mp3 downloader\npAmazonMP3DownloaderPlugin101772.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.165\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\nokia\nokia suite\npNokiaSuiteEnabler.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1167637.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_117.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: 2013-10-26 15:44; jid1-F9UJ2thwoAm5gQ@jetpack; c:\documents and settings\brenda\application data\mozilla\firefox\profiles\50he170t.default-1347660196861\extensions\jid1-F9UJ2thwoAm5gQ@jetpack.xpi
.
============= SERVICES / DRIVERS ===============
.
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2013-4-23 64784]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-4-23 22856]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2013-4-23 341072]
.
=============== Created Last 30 ================
.
2013-12-04 00:45:47 26624 ----a-w- c:\windows\system32\TrueSight.sys
.
==================== Find3M ====================
.
2013-11-01 13:29:52 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2013-10-13 07:25:38 920064 ----a-w- c:\windows\system32\wininet.dll
2013-10-13 07:25:08 43520 ------w- c:\windows\system32\licmgr10.dll
2013-10-13 07:25:02 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-10-13 07:24:17 18944 ----a-w- c:\windows\system32\corpol.dll
2013-10-13 06:57:59 385024 ------w- c:\windows\system32\html.iec
2013-10-12 15:56:19 278528 ----a-w- c:\windows\system32\oakley.dll
2013-10-09 13:12:48 287744 ----a-w- c:\windows\system32\gdi32.dll
2013-10-08 18:58:30 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-10-08 18:58:29 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-07 10:59:21 603136 ----a-w- c:\windows\system32\crypt32.dll
2013-10-05 01:14:01 7168 ----a-w- c:\windows\system32\xpsp4res.dll
.
============= FINISH: 8:39:31.87 ===============
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-12-04 08:24:53
-----------------------------
08:24:53.015 OS Version: Windows 5.1.2600 Service Pack 3
08:24:53.015 Number of processors: 2 586 0x407
08:24:53.015 ComputerName: D6KX9PB1 UserName:
08:24:54.484 Initialize success
08:32:00.906 AVAST engine defs: 13120301
08:33:40.531 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
08:33:40.531 Disk 0 Vendor: SAMSUNG_HD160JJ/P ZM100-34 Size: 152587MB BusType: 3
08:33:40.953 Disk 0 MBR read successfully
08:33:40.953 Disk 0 MBR scan
08:33:41.343 Disk 0 unknown MBR code
08:33:41.343 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 54 MB offset 63
08:33:41.500 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 147644 MB offset 112455
08:33:41.609 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 4886 MB offset 302487885
08:33:41.796 Disk 0 scanning sectors +312496380
08:33:42.234 Disk 0 scanning C:\WINDOWS\system32\drivers
08:36:45.593 Service scanning
08:39:30.796 Modules scanning
08:39:55.625 Module: C:\WINDOWS\System32\DLA\DLADResN.SYS **SUSPICIOUS**
08:40:00.281 Disk 0 trace - called modules:
08:40:00.296 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
08:40:00.296 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86dd5ab8]
08:40:00.296 3 CLASSPNP.SYS[f74d2fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x86dc6b00]
08:40:01.015 AVAST engine scan C:\WINDOWS
08:40:58.390 AVAST engine scan C:\WINDOWS\system32
08:53:20.828 AVAST engine scan C:\WINDOWS\system32\drivers
08:54:39.734 AVAST engine scan C:\Documents and Settings\Brenda
09:29:40.718 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Brenda\My Documents\MBR.dat"
09:29:41.171 The log file has been saved successfully to "C:\Documents and Settings\Brenda\My Documents\aswMBR.txt"
09:30:51.984 AVAST engine scan C:\Documents and Settings\All Users
09:41:23.953 Scan finished successfully
09:52:08.578 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Brenda\Desktop\MBR.dat"
09:52:08.625 The log file has been saved successfully to "C:\Documents and Settings\Brenda\Desktop\aswMBR.txt"+

:welcome:

Sorry for the delay. At this point we can run some scans and to see if this is malware related, if not then I can link you to a windows forum to help you fix this problem.


Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Ken545,
Thank you for assistance!!
Attached is the ComboFix log.txt.

I don't know if this is helpful but...
On the 9th, my system was running slow so I run aswMBR again. It found 20 of these running - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\dlccjswx.exe.
It also found these 2 additional Suspicious things not previously found in my first log.
19:17:31.000 Module: C:\WINDOWS\System32\drivers\dxgthk.sys **SUSPICIOUS**
19:17:32.625 Module: C:\WINDOWS\System32\DLA\DLADResN.SYS **SUSPICIOUS**
19:17:36.063 Module: C:\WINDOWS\system32\ntdll.dll **SUSPICIOUS**
I can send the entire logs if needed or run them again.

Thanks,
Jess

---------------------------------------------------------------------------------------------------
ComboFix 13-12-12.03 - Brenda 12/12/2013 12:19:15.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.503 [GMT -5:00]
Running from: c:\documents and settings\Brenda\Desktop\ComboFix.exe
AV: Trend Micro Titanium Internet Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Firewall Booster *Disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Brenda\Local Settings\Application Data\assembly\tmp
c:\windows\wininit.ini
.
.
((((((((((((((((((((((((( Files Created from 2013-11-12 to 2013-12-12 )))))))))))))))))))))))))))))))
.
.
2013-11-16 18:32 . 2013-11-16 18:32 -------- d-----w- c:\documents and settings\Guest\Application Data\.minecraft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-13 02:59 . 2005-08-16 08:18 150528 ----a-w- c:\windows\system32\imagehlp.dll
2013-11-07 05:38 . 2005-08-16 08:18 591360 ----a-w- c:\windows\system32\rpcrt4.dll
2013-11-06 01:03 . 2009-04-17 12:40 7168 ----a-w- c:\windows\system32\xpsp4res.dll
2013-10-30 02:26 . 2005-08-16 08:18 1879040 ----a-w- c:\windows\system32\win32k.sys
2013-10-29 07:57 . 2005-08-16 08:18 920064 ----a-w- c:\windows\system32\wininet.dll
2013-10-29 07:57 . 2005-08-16 08:18 43520 ------w- c:\windows\system32\licmgr10.dll
2013-10-29 07:57 . 2005-08-16 08:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-10-29 07:57 . 2005-08-16 08:18 18944 ----a-w- c:\windows\system32\corpol.dll
2013-10-29 00:45 . 2005-08-16 08:18 385024 ------w- c:\windows\system32\html.iec
2013-10-23 23:45 . 2005-08-16 08:18 172032 ----a-w- c:\windows\system32\scrrun.dll
2013-10-12 15:56 . 2005-08-16 08:18 278528 ----a-w- c:\windows\system32\oakley.dll
2013-10-09 13:12 . 2005-08-16 08:18 287744 ----a-w- c:\windows\system32\gdi32.dll
2013-10-08 18:58 . 2012-10-21 14:05 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-10-08 18:58 . 2012-01-23 13:18 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-07 10:59 . 2005-08-16 08:18 603136 ----a-w- c:\windows\system32\crypt32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 282624]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-21 430080]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2013-04-23 112632]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2013-04-23 1119392]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2013-04-04 532040]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 73728]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-28 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe /n [2005-5-3 81920]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"NokiaOviSuite2"=c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe -tray
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
"NokiaSuite.exe"=c:\program files\Nokia\Nokia Suite\NokiaSuite.exe -tray
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"<NO NAME>"=
"Amazon Cloud Player"=c:\documents and settings\Brenda\Local Settings\Application Data\Amazon Cloud Player\Amazon Music Helper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"NokiaMServer"=c:\program files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"DLA"=c:\windows\System32\DLA\DLACTRLW.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [4/23/2013 9:29 AM 418376]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/23/2013 9:27 AM 701512]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [4/23/2013 8:56 AM 64784]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/23/2013 9:27 AM 22856]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [4/23/2013 9:07 AM 341072]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [4/23/2013 8:53 AM 196320]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [4/23/2013 11:32 AM 1103392]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [4/23/2013 11:32 AM 1369624]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [4/23/2013 11:32 AM 168384]
.
Contents of the 'Scheduled Tasks' folder
.
2013-12-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-21 18:58]
.
2013-12-05 c:\windows\Tasks\Amazon Music Helper.job
- c:\documents and settings\Brenda\Local Settings\Application Data\Amazon Cloud Player\Amazon Music Helper.exe [2013-07-14 23:23]
.
2013-12-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-11-16 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2013-04-23 18:08]
.
2013-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 15:06]
.
2013-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 15:06]
.
2013-12-11 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-04-23 18:07]
.
2013-12-01 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2013-04-23 18:07]
.
.
------- Supplementary Scan -------
.
uLocal Page =
uStart Page = hxxp://www.bing.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mLocal Page =
mStart Page =
uSearchAssistant =
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
Trusted Zone: musicmatch.com\online
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
FF - ProfilePath - c:\documents and settings\Brenda\Application Data\Mozilla\Firefox\Profiles\50he170t.default-1347660196861\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?scope=web&mkt=en-US
FF - ExtSQL: 2013-10-26 15:44; jid1-F9UJ2thwoAm5gQ@jetpack; c:\documents and settings\Brenda\Application Data\Mozilla\Firefox\Profiles\50he170t.default-1347660196861\extensions\jid1-F9UJ2thwoAm5gQ@jetpack.xpi
.
- - - - ORPHANS REMOVED - - - -
.
c:\documents and settings\Brenda\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk - c:\program files\ERUNT1\AUTOBACK.EXE %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /noprogresswindow
Notify-SDWinLogon - SDWinLogon.dll
MSConfigStartUp-CTFMON - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-12-12 12:29
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,RunDLLEntry???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1004)
c:\windows\system32\l3codeca.acm
.
Completion time: 2013-12-12 12:32:44
ComboFix-quarantined-files.txt 2013-12-12 17:32
ComboFix2.txt 2012-02-15 01:39
.
Pre-Run: 65,599,406,080 bytes free
Post-Run: 65,760,874,496 bytes free
.
- - End Of File - - B72AF0230096219432A6F74C24A99498
5CB90281D1A59B251F6603134774EEC3

Hello Jess,

Nice to have you with us :)

Those are legit files but they could be infected, lets do this first

Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please

Ken545,
Nothing found in Malwarebytes, attached log.
Jess


-----------------------------------------------

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.12.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Brenda:: D6KX9PB1 [administrator]

Protection: Disabled

12/12/2013 1:27:36 PM
mbam-log-2013-12-12 (13-27-36).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 287639
Time elapsed: 10 minute(s), 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Good so far, lets check these files



You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)

Go to VirusTotal (http://www.virustotal.com/) and submit these files for analysis, just use the BROWSE feature and then Send File , if it says this file has been checked before, have them recheck it. When the scan is done just copy and paste the link back to this forum for me to see.

C:\WINDOWS\System32\DLA\DLADResN.SYS
C:\WINDOWS\System32\drivers\dxgthk.sys
C:\WINDOWS\system32\ntdll.dll


If the site is busy you can try this one
http://virusscan.jotti.org/en

Ken545,
Sorry, I am unable to access the files/folder properties. I cannot use explorer.exe - runtime error 216. Is there something I can run from the command line to show all files?


Here are the links to TotalVirus:
https://www.virustotal.com/en/file/25b18fef62395abb1eb4c17d81d9eb31759f6c5dbaa5cdb192949055d69e3071/analysis/1386887260/

https://www.virustotal.com/en/file/c36486504c3a596fdca487143f6d3b43c0bee01321f6f1f3071976556533c419/analysis/1386887406/

https://www.virustotal.com/en/file/54df909101aaec63234a5c33b51d6689fef58b943942bffa9606864f43ec1085/analysis/1386887529/

Thanks,
Jess

Those questionable files are fine .


Let me ask you, when this runtime error start ?

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop


Select All Users
Under the Custom Scan box paste this in


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT


Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Post both logs

Ken545,

I think it was around 12-1-13. I disregarded the first couple of errors, rebooted and all seemed fine. When the errors continued, I started researching on the internet and found it to be a potential backdoor trojan (discovered June 6, 1999), http://support.microsoft.com/kb/259279. The link in the microsoft kb has a complicated removal process, above my paygrade. :red: Since it was an older virus, I thought it would be in the "pattern" databases. I tried Spybot and got the runtime error 216. I did run other anti-virus/malware scans (Trend-Micro, Kaspersky, ESET and Malwarebytes). All were good. That is when I knew I needed help. :eek:

Attached is the OTL.txt log. The Extras.Txt was not produced.

Thanks,
Jess

----------------------------------------------------
OTL logfile created on: 12/12/2013 7:13:29 PM - Run 10
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Brenda\My Documents\Downloads
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.07 Mb Total Physical Memory | 151.20 Mb Available Physical Memory | 14.79% Memory free
30.20 Gb Paging File | 29.19 Gb Available in Paging File | 96.64% Paging File free
Paging file location(s): C:\pagefile.sys 30000 50000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.18 Gb Total Space | 61.21 Gb Free Space | 42.45% Space Free | Partition Type: NTFS

Computer Name: D6KX9PB1 | User Name: Brenda | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Brenda\My Documents\Downloads\OTL(1).exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiSeAgnt.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiWatchDog.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe (Trend Micro Inc.)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
PRC - C:\WINDOWS\system32\dlcccoms.exe ( )
PRC - C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe (Dell)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Mozilla Firefox\mozjs.dll ()
MOD - C:\Program Files\Trend Micro\UniClient\plugins\LUADLL.dll ()
MOD - C:\Program Files\Trend Micro\AMSP\sqlite3.dll ()
MOD - C:\Program Files\Trend Micro\AMSP\boost_thread-vc80-mt-1_36.dll ()
MOD - C:\Program Files\Trend Micro\AMSP\boost_date_time-vc80-mt-1_36.dll ()
MOD - C:\WINDOWS\system32\quartz.dll ()
MOD - C:\WINDOWS\system32\sbe.dll ()
MOD - C:\WINDOWS\system32\msdmo.dll ()
MOD - C:\WINDOWS\system32\devenum.dll ()
MOD - C:\WINDOWS\system32\spool\drivers\w32x86\3\dlccHPEC.DLL ()
MOD - C:\WINDOWS\system32\spool\drivers\w32x86\3\dlccFLIB.DLL ()
MOD - C:\WINDOWS\system32\spool\drivers\w32x86\3\dlcccfg.dll ()
MOD - C:\WINDOWS\system32\dlcccfg.dll ()
MOD - C:\Program Files\Dell Photo AIO Printer 924\dlcccfg.dll ()
MOD - C:\Program Files\Dell Photo AIO Printer 924\dlccdrec.dll ()
MOD - C:\Program Files\Dell Photo AIO Printer 924\dlcccnv4.dll ()
MOD - C:\WINDOWS\system32\tsd32.dll ()


========== Services (SafeList) ==========

SRV - (SDWSCService) -- C:\Program Files\Spybot File not found
SRV - (SDUpdateService) -- C:\Program Files\Spybot File not found
SRV - (SDScannerService) -- C:\Program Files\Spybot File not found
SRV - (Amsp) -- C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe File not found
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (MBAMScheduler) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
SRV - (ServiceLayer) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia)
SRV - (DSBrokerService) -- C:\Program Files\DellSupport\brkrsvc.exe ()
SRV - (dlcc_device) -- C:\WINDOWS\system32\dlcccoms.exe ( )


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (wanatw) -- system32\DRIVERS\wanatw4.sys File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (mbr) -- C:\ComboFix\mbr.sys File not found
DRV - (lbrtfdc) -- File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\catchme.sys File not found
DRV - (bvrp_pci) -- File not found
DRV - (MBAMSwissArmy) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys (Malwarebytes Corporation)
DRV - (tmcfw) -- C:\WINDOWS\system32\drivers\TM_CFW.sys (Trend Micro Inc.)
DRV - (tmcomm) -- C:\WINDOWS\system32\drivers\tmcomm.sys (Trend Micro Inc.)
DRV - (tmtdi) -- C:\WINDOWS\system32\drivers\tmtdi.sys (Trend Micro Inc.)
DRV - (tmevtmgr) -- C:\WINDOWS\system32\drivers\tmevtmgr.sys (Trend Micro Inc.)
DRV - (tmactmon) -- C:\WINDOWS\system32\drivers\tmactmon.sys (Trend Micro Inc.)
DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (USB_RNDIS_XP) -- C:\WINDOWS\system32\drivers\usb8023.sys (Microsoft Corporation)
DRV - (pccsmcfd) -- C:\WINDOWS\system32\drivers\pccsmcfd.sys (Nokia)
DRV - (nmwcdc) -- C:\WINDOWS\system32\drivers\ccdcmbo.sys (Nokia)
DRV - (nmwcd) -- C:\WINDOWS\system32\drivers\ccdcmb.sys (Nokia)
DRV - (UsbserFilt) -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys (Nokia)
DRV - (upperdev) -- C:\WINDOWS\system32\drivers\usbser_lowerflt.sys (Nokia)
DRV - (NwlnkIpx) -- C:\WINDOWS\system32\drivers\nwlnkipx.sys (Microsoft Corporation)
DRV - (dsunidrv) -- C:\WINDOWS\system32\drivers\dsunidrv.sys (Gteko Ltd.)
DRV - (DSproct) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys (Gteko Ltd.)
DRV - (ASCTRM) -- C:\WINDOWS\System32\drivers\asctrm.sys (Windows (R) 2000 DDK provider)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (DLAUDFAM) -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS (Sonic Solutions)
DRV - (DLAUDF_M) -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS (Sonic Solutions)
DRV - (DLAIFS_M) -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS (Sonic Solutions)
DRV - (DLABOIOM) -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS (Sonic Solutions)
DRV - (DLAOPIOM) -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS (Sonic Solutions)
DRV - (DLAPoolM) -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS (Sonic Solutions)
DRV - (DLADResN) -- C:\WINDOWS\system32\DLA\DLADResN.SYS (Sonic Solutions)
DRV - (DLACDBHM) -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS (Sonic Solutions)
DRV - (DLARTL_N) -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS (Sonic Solutions)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (NwlnkNb) -- C:\WINDOWS\system32\drivers\nwlnknb.sys (Microsoft Corporation)
DRV - (NwlnkSpx) -- C:\WINDOWS\system32\drivers\nwlnkspx.sys (Microsoft Corporation)
DRV - (HSFHWBS2) -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page =
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=IE8SRC&src=IE-SearchBox
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\..\SearchScopes\{3EBADAB4-F7DC-4F65-8DD1-6699EE9CC26B}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7DKUS_en
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\..\SearchScopes\{64BAE304-52C5-4461-95C9-144231F08FCE}: "URL" = http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&camp=1789&creative=9325&keywords={searchTerms}
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\..\SearchScopes\{F331CD2A-43D8-4D11-996E-700D01235B03}: "URL" = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
IE - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "www.bing.com"
FF - prefs.js..browser.search.defaultenginename: "Bing"
FF - prefs.js..browser.search.selectedEngine: "Bing"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.bing.com/?scope=web&mkt=en-US"
FF - prefs.js..extensions.enabledAddons: clickclean%40hotcleaner.com:4.1
FF - prefs.js..extensions.enabledAddons: nosquint%40urandom.ca:2.1.9
FF - prefs.js..extensions.enabledAddons: printedit%40DW-dev:10.2
FF - prefs.js..extensions.enabledAddons: %7B0b457cAA-602d-484a-8fe7-c1d894a011ba%7D:0.98.47
FF - prefs.js..extensions.enabledAddons: %7B73a6fe31-595d-460b-a920-fcc0f8843232%7D:2.6.8.7
FF - prefs.js..extensions.enabledAddons: %7Bd40f5e7b-d2cf-4856-b441-cc613eeffbe3%7D:1.68
FF - prefs.js..extensions.enabledAddons: %7B23fcfd51-4958-4f00-80a3-ae97e717ed8b%7D:2.1.2.145
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:26.0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_9_900_117.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw_1167637.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Content Upload Plugin,version=1.0.0: C:\Program Files\DivX\DivX Content Uploader\npUpload.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.13.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.13.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nokia.com/EnablerPlugin: C:\Program Files\Nokia\Nokia Suite\npNokiaSuiteEnabler.dll ( )
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1: C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll (Yahoo! Inc.)
FF - HKCU\Software\MozillaPlugins\amazon.com/AmazonMP3DownloaderPlugin: C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101772.dll (Amazon.com, Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2012/04/19 11:05:06 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22C7F6C6-8D67-4534-92B5-529A0EC09405}: C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1077\firefoxextension\ [2013/04/23 08:59:23 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 26.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/12/10 20:44:01 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 26.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/12/10 20:44:10 | 000,000,000 | ---D | M]

[2010/08/19 10:05:05 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Brenda\Application Data\Mozilla\Extensions
[2013/12/03 22:17:50 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Brenda\Application Data\Mozilla\Firefox\Profiles\50he170t.default-1347660196861\extensions
[2013/11/27 11:55:34 | 000,000,000 | ---D | M] (FireShot) -- C:\Documents and Settings\Brenda\Application Data\Mozilla\Firefox\Profiles\50he170t.default-1347660196861\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}
[2013/03/28 07:45:01 | 000,000,000 | ---D | M] (Click&amp;Clean) -- C:\Documents and Settings\Brenda\Application Data\Mozilla\Firefox\Profiles\50he170t.default-1347660196861\extensions\clickclean@hotcleaner.com
[2012/09/15 11:42:06 | 000,123,385 | ---- | M] () (No name found) -- C:\Documents and Settings\Brenda\Application Data\Mozilla\Firefox\Profiles\50he170t.default-1347660196861\extensions\elemhidehelper@adblockplus.org.xpi
[2013/11/06 10:05:55 | 001,338,622 | ---- | M] () (No name found) -- C:\Documents and Settings\Brenda\Application Data\Mozilla\Firefox\Profiles\50he170t.default-1347660196861\extensions\firefox@ghostery.com.xpi
[2013/10/26 14:44:21 | 000,833,307 | ---- | M] () (No name found) -- C:\Documents and Settings\Brenda\Application Data\Mozilla\Firefox\Profiles\50he170t.default-1347660196861\extensions\jid1-F9UJ2thwoAm5gQ@jetpack.xpi
[2013/05/03 09:22:45 | 000,114,250 | ---- | M] () (No name found) -- C:\Documents and Settings\Brenda\Application Data\Mozilla\Firefox\Profiles\50he170t.default-1347660196861\extensions\nosquint@urandom.ca.xpi
[2013/10/20 10:27:17 | 000,098,714 | ---- | M] () (No name found) -- C:\Documents and Settings\Brenda\Application Data\Mozilla\Firefox\Profiles\50he170t.default-1347660196861\extensions\printedit@DW-dev.xpi
[2013/12/03 22:17:49 | 000,535,138 | ---- | M] () (No name found) -- C:\Documents and Settings\Brenda\Application Data\Mozilla\Firefox\Profiles\50he170t.default-1347660196861\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
[2013/10/09 15:21:06 | 000,915,554 | ---- | M] () (No name found) -- C:\Documents and Settings\Brenda\Application Data\Mozilla\Firefox\Profiles\50he170t.default-1347660196861\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2012/09/15 11:23:43 | 000,138,614 | ---- | M] () (No name found) -- C:\Documents and Settings\Brenda\Application Data\Mozilla\Firefox\Profiles\50he170t.default-1347660196861\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi
[2012/09/15 11:46:22 | 000,002,325 | ---- | M] () -- C:\Documents and Settings\Brenda\Application Data\Mozilla\Firefox\Profiles\50he170t.default-1347660196861\searchplugins\startpage-ssl.xml
[2013/12/10 20:43:55 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2013/12/10 20:44:30 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2012/04/19 11:05:06 | 000,000,000 | ---D | M] (DivX Plus Web Player HTML5 &lt;video&gt;) -- C:\PROGRAM FILES\DIVX\DIVX PLUS WEB PLAYER\FIREFOX\DIVXHTML5
[2007/03/09 18:16:44 | 000,189,496 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\mozilla firefox\plugins\npyaxmpb.dll

O1 HOSTS File: ([2013/12/12 12:29:26 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (TmIEPlugInBHO Class) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\module\20004\1.5.1464\6.6.1077\TmIEPlg.dll (Trend Micro Inc.)
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll (Safer-Networking Ltd.)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (TmBpIeBHO Class) - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll (Trend Micro Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No CLSID value found.
O3 - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\..\Toolbar\WebBrowser: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No CLSID value found.
O4 - HKLM..\Run: [DLCCCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.DLL ()
O4 - HKLM..\Run: [dlccmon.exe] C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe (Dell)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SDTray] C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe (Safer-Networking Ltd.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [Trend Micro Client Framework] C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [Trend Micro Titanium] C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe (Trend Micro Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3120691911-3222514972-401631166-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html File not found
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll (Safer-Networking Ltd.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: musicmatch.com ([online] https in Trusted sites)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.0.cab (DLM Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{87A9F30A-15CF-4635-8B39-9399F6194D80}: DhcpNameServer = 192.168.1.254 192.168.1.254
O18 - Protocol\Handler\tmbp {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll (Trend Micro Inc.)
O18 - Protocol\Handler\tmpx {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\1.5.1464\6.6.1077\TmIEPlg.dll (Trend Micro Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Brenda\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Brenda\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 03:43:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2013/12/12 18:38:17 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2013/12/12 16:36:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2013/12/12 12:15:48 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2013/12/12 12:15:48 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2013/12/12 12:15:48 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2013/12/12 12:15:48 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2013/12/12 12:15:26 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/12/12 12:12:24 | 005,154,763 | R--- | C] (Swearware) -- C:\Documents and Settings\Brenda\Desktop\ComboFix.exe
[2013/12/10 20:43:54 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013/12/03 19:45:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brenda\Desktop\RK_Quarantine
[2013/11/30 09:40:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brenda\Desktop\New Folder
[2013/11/24 13:19:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brenda\Desktop\pines

========== Files - Modified Within 30 Days ==========

[2013/12/12 18:38:17 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2013/12/12 18:37:03 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/12/12 16:34:13 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/12/12 12:29:26 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2013/12/12 12:12:28 | 005,154,763 | R--- | M] (Swearware) -- C:\Documents and Settings\Brenda\Desktop\ComboFix.exe
[2013/12/11 20:37:01 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/12/11 12:13:23 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/12/11 12:13:21 | 000,297,256 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/12/11 12:13:20 | 1071,796,224 | -HS- | M] () -- C:\hiberfil.sys
[2013/12/11 12:10:56 | 000,000,616 | ---- | M] () -- C:\WINDOWS\tasks\Refresh immunization (Spybot - Search & Destroy).job
[2013/12/11 11:30:08 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/12/10 20:01:17 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2013/12/10 07:49:27 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Brenda\Desktop\MBR.dat
[2013/12/06 10:14:34 | 025,244,002 | ---- | M] () -- C:\Documents and Settings\Brenda\Desktop\fedex_claim_1.bmp
[2013/12/06 09:58:03 | 020,020,866 | ---- | M] () -- C:\Documents and Settings\Brenda\Desktop\fedex_claim.bmp
[2013/12/05 10:27:01 | 000,000,586 | ---- | M] () -- C:\WINDOWS\tasks\Amazon Music Helper.job
[2013/12/04 09:29:40 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Brenda\My Documents\MBR.dat
[2013/12/03 13:15:51 | 000,029,630 | ---- | M] () -- C:\Documents and Settings\Brenda\Application Data\wklnhst.dat
[2013/12/03 13:15:51 | 000,013,312 | ---- | M] () -- C:\Documents and Settings\Brenda\Desktop\Kate.wps
[2013/12/02 20:16:14 | 000,475,648 | ---- | M] () -- C:\Documents and Settings\Brenda\Desktop\tablecloth.wps
[2013/12/01 23:54:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/12/01 14:39:50 | 000,049,090 | ---- | M] () -- C:\Documents and Settings\Brenda\Desktop\11-70017.jpg
[2013/12/01 14:28:40 | 000,050,908 | ---- | M] () -- C:\Documents and Settings\Brenda\Desktop\11-70015.jpg
[2013/12/01 08:11:14 | 000,000,446 | ---- | M] () -- C:\WINDOWS\tasks\Scan the system (Spybot - Search & Destroy).job
[2013/11/23 14:50:02 | 000,181,413 | ---- | M] () -- C:\Documents and Settings\Brenda\Desktop\ESTES E9-4.jpg
[2013/11/23 13:10:12 | 000,031,971 | ---- | M] () -- C:\Documents and Settings\Brenda\Desktop\estes saturn v.jpg
[2013/11/23 12:49:28 | 000,044,477 | ---- | M] () -- C:\Documents and Settings\Brenda\Desktop\ESTES EXECUTIONER.jpg
[2013/11/23 12:39:36 | 000,088,991 | ---- | M] () -- C:\Documents and Settings\Brenda\Desktop\Estes interceptor.jpg
[2013/11/23 11:47:30 | 000,029,893 | ---- | M] () -- C:\Documents and Settings\Brenda\Desktop\11-70011.jpg
[2013/11/23 11:14:45 | 000,032,784 | ---- | M] () -- C:\Documents and Settings\Brenda\Desktop\11-5502-1.jpg
[2013/11/23 09:11:22 | 000,012,005 | ---- | M] () -- C:\Documents and Settings\Brenda\Desktop\11-6017-1.jpg
[2013/11/23 08:33:41 | 000,012,924 | ---- | M] () -- C:\Documents and Settings\Brenda\Desktop\11-6018-1.jpg
[2013/11/19 10:01:36 | 000,014,336 | ---- | M] () -- C:\Documents and Settings\Brenda\Desktop\options.xlr
[2013/11/16 14:17:38 | 000,000,620 | ---- | M] () -- C:\WINDOWS\tasks\Check for updates (Spybot - Search & Destroy).job
[2013/11/14 10:43:28 | 002,779,800 | ---- | M] () -- C:\Documents and Settings\Brenda\Desktop\Windermere GE Appliance Package.pdf
[2013/11/14 10:15:41 | 022,540,708 | ---- | M] () -- C:\Documents and Settings\Brenda\Desktop\2014-Timberlake-Specification-Guide.pdf
[2013/11/13 19:53:56 | 000,000,360 | RHS- | M] () -- C:\boot.ini

========== Files Created - No Company Name ==========

[2013/12/12 12:15:48 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2013/12/12 12:15:48 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2013/12/12 12:15:48 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2013/12/12 12:15:48 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2013/12/12 12:15:48 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2013/12/06 10:00:51 | 025,244,002 | ---- | C] () -- C:\Documents and Settings\Brenda\Desktop\fedex_claim_1.bmp
[2013/12/06 09:57:57 | 020,020,866 | ---- | C] () -- C:\Documents and Settings\Brenda\Desktop\fedex_claim.bmp
[2013/12/05 20:32:47 | 000,000,886 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/12/05 20:32:44 | 000,000,882 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/12/04 09:52:08 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Brenda\Desktop\MBR.dat
[2013/12/04 09:29:40 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Brenda\My Documents\MBR.dat
[2013/12/02 20:12:37 | 000,475,648 | ---- | C] () -- C:\Documents and Settings\Brenda\Desktop\tablecloth.wps
[2013/12/01 14:39:49 | 000,049,090 | ---- | C] () -- C:\Documents and Settings\Brenda\Desktop\11-70017.jpg
[2013/12/01 14:28:39 | 000,050,908 | ---- | C] () -- C:\Documents and Settings\Brenda\Desktop\11-70015.jpg
[2013/11/24 13:10:59 | 000,013,312 | ---- | C] () -- C:\Documents and Settings\Brenda\Desktop\Kate.wps
[2013/11/23 14:36:13 | 000,181,413 | ---- | C] () -- C:\Documents and Settings\Brenda\Desktop\ESTES E9-4.jpg
[2013/11/23 13:10:11 | 000,031,971 | ---- | C] () -- C:\Documents and Settings\Brenda\Desktop\estes saturn v.jpg
[2013/11/23 12:49:27 | 000,044,477 | ---- | C] () -- C:\Documents and Settings\Brenda\Desktop\ESTES EXECUTIONER.jpg
[2013/11/23 12:19:37 | 000,088,991 | ---- | C] () -- C:\Documents and Settings\Brenda\Desktop\Estes interceptor.jpg
[2013/11/23 11:47:29 | 000,029,893 | ---- | C] () -- C:\Documents and Settings\Brenda\Desktop\11-70011.jpg
[2013/11/23 11:14:44 | 000,032,784 | ---- | C] () -- C:\Documents and Settings\Brenda\Desktop\11-5502-1.jpg
[2013/11/23 09:11:21 | 000,012,005 | ---- | C] () -- C:\Documents and Settings\Brenda\Desktop\11-6017-1.jpg
[2013/11/23 08:33:40 | 000,012,924 | ---- | C] () -- C:\Documents and Settings\Brenda\Desktop\11-6018-1.jpg
[2013/11/14 12:41:27 | 000,014,336 | ---- | C] () -- C:\Documents and Settings\Brenda\Desktop\options.xlr
[2013/11/14 10:43:27 | 002,779,800 | ---- | C] () -- C:\Documents and Settings\Brenda\Desktop\Windermere GE Appliance Package.pdf
[2013/11/14 10:15:06 | 022,540,708 | ---- | C] () -- C:\Documents and Settings\Brenda\Desktop\2014-Timberlake-Specification-Guide.pdf
[2013/11/04 13:47:05 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/04/25 21:14:47 | 000,000,848 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2012/02/14 15:14:46 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2010/08/10 15:59:12 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Brenda\Local Settings\Application Data\housecall.guid.cache
[2008/02/12 13:13:58 | 000,067,072 | ---- | C] () -- C:\Documents and Settings\Brenda\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/12/02 11:56:46 | 000,029,630 | ---- | C] () -- C:\Documents and Settings\Brenda\Application Data\wklnhst.dat
[2006/09/04 14:21:18 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Brenda\Local Settings\Application Data\fusioncache.dat

========== ZeroAccess Check ==========

[2005/08/16 03:39:16 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 19:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 19:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2005/08/16 19:54:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DIGStream
[2007/08/28 17:57:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
[2012/09/29 16:31:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nokia
[2012/04/14 15:17:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NokiaInstallerCache
[2011/07/24 20:12:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
[2012/10/22 15:36:34 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\System Restore
[2007/04/19 18:41:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Transparent
[2006/08/28 22:48:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/12/23 16:49:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brenda\Application Data\Amazon
[2007/03/01 09:01:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brenda\Application Data\BellSouth
[2012/10/22 15:37:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brenda\Application Data\FireShot
[2006/09/17 15:42:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brenda\Application Data\Leadertech
[2012/03/09 11:01:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brenda\Application Data\Nokia
[2011/08/19 17:19:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brenda\Application Data\PC Suite
[2006/09/07 08:35:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brenda\Application Data\Simple Star
[2007/08/07 17:47:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brenda\Application Data\Souptoys
[2006/12/02 11:56:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brenda\Application Data\Template
[2006/11/19 07:18:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brenda\Application Data\Walgreens
[2006/10/02 10:55:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\EarthLink Toolbar
[2013/11/16 13:32:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Guest\Application Data\.minecraft
[2013/04/30 13:52:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Guest\Application Data\PC Suite
[2013/10/06 12:00:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Guest\Application Data\Template

========== Purity Check ==========



========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: EXPLORER.EXE >
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2007/06/13 06:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
[2004/08/10 04:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
[2012/11/13 13:07:52 | 003,906,584 | ---- | M] (Safer-Networking Ltd.) MD5=E4A0900CF535888DDD85B10040CA3E34 -- C:\Program Files\Spybot - Search & Destroy 2\explorer.exe

< MD5 for: SVCHOST.EXE >
[2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ERDNT\cache\svchost.exe
[2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2004/08/10 04:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\i386\svchost.exe
[2004/08/10 04:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
[2013/04/04 13:50:32 | 000,218,184 | ---- | M] () MD5=B4C6E3889BB310CA7E974A04EC6E46AC -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe
[2013/04/23 14:46:46 | 000,218,184 | ---- | M] () MD5=B6381489F9C8612AFFD4A2765ABD341C -- C:\Documents and Settings\Brenda\My Documents\Downloads\mbam-chameleon-1.62.1.1000\svchost.exe

< MD5 for: USERINIT.EXE >
[2004/08/10 04:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\i386\userinit.exe
[2004/08/10 04:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ERDNT\cache\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2004/08/10 04:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\i386\winlogon.exe
[2004/08/10 04:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2013/04/04 13:50:32 | 000,218,184 | ---- | M] () MD5=B4C6E3889BB310CA7E974A04EC6E46AC -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2013/04/23 14:46:46 | 000,218,184 | ---- | M] () MD5=B6381489F9C8612AFFD4A2765ABD341C -- C:\Documents and Settings\Brenda\My Documents\Downloads\mbam-chameleon-1.62.1.1000\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< End of report >

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Not looking at any malware, did you change the restrictions listed above with Spybot or on your own ?

Runtime errors can be caused by a few things, it doesn't mean your infected, it can be caused sometimes by a hardware issue like your mouse etc.

Have you installed any new hardware prior to the runtime error ?

Its possible to do a system restore prior to the error and see if it goes away

Ken545,

I will do the restore and let you know the outcome.

I use Firefox for my internet browser. I don't know what the Internet Explorer restrictions are. I did remove some things with Spybot from the start list but added them back. Could I have changed the restrictions that way?

I added a new plug-n-play mouse back in September, way before the error.

Glad to know I'm not infected. I panicked when I saw the Microsoft kb and the damages from a trojan.

Thank you so much for your help!
Jess

Good Morning Jess,

Here are instructions for Windows XP System Restore, be sure to select a date prior to your runtime error messages, also post back and let me know how it went
http://technet.microsoft.com/en-us/library/bb457025.aspx


A heads up on XP, it will be going the way of windows 95 and 98 sometime this spring, Microsoft will be dropping support for it, what that means is there wont be anymore windows updates and there needed to keep your system secure. I think at that time its best to either upgrade the operating system or if you computer is a bit old and wont support the new operating systems than maybe thinking about getting a new one may be the way to go

Good Morning Ken545,

I did a restore back a month. The runtime error 216 persisted. I then restored back to Oct. 30. Knew that it was definitely a working restore point. The runtime error 216 was still there and svchost.exe - SYSTEM was running at 50% CPU for over 40 minutes. Both of the restores had the "digital line detect.ink disabled". Couldn't access the internet. "Help and Support" inquiry came up with nothing on how to enable.

I restored back to yesterday (12-12-13), OTL restore point. Digital line detect is now enabled.

Here are the errors that show up during all three system start ups -
SDFSSVC.exe - Application error - The instruction at "0x5003a116" referenced memory at "0x00d08288". The memory could not be "read".
SDUpdSvc.exe- Application error - The instruction at "0x5003a116" referenced memory at "0x00d08288". The memory could not be "read".
SDUpdSvc.exe encountered a problems and needs to be closed. We are sorry for the inconvenience.
SDFSSvc.exe encountered a problems and needs to be closed. We are sorry for the inconvenience.
SDTray.exe encountered a problems and needs to be closed. We are sorry for the inconvenience.

In my last restore I have an additional error -
RUNDLL - error in c:\WINDOWS\Sytem32\spool\Drivers\W32x86\3\DLCCtime.dll

The explorer.exe error I've been getting -
explorer.exe - Application error - The instruction at "0x5003a116" referenced memory at "0x036a83c8". The memory could not be "read". (the "referenced memory" changes with each file)
runtime error 216 at 5003A116.
explorer.exe - Application error - The instruction at "0x00009007" referenced memory at "0x00000000". The memory could not be "written". (the "referenced memory" is the same with each file)

Any ideas?

Thank you for the heads up on the Windows XP. It will give me some time to figure out if upgrade or replace is better.

Thanks again for all your help!
Jess

Hello Jess,

The error your getting now is related to Spybot Search and Destroy, what I would do is uninstall it, reboot and do a clean install of Spybot and see if that helps.

The other error your getting is related to your Dell Printer
http://www.systemlookup.com/search.php?type=filename&search=DLCCtime.dll+&s=


I think at this point you may need to post in a windows forum, this is a site we work closely with.

www.whatthetech.com
You need to go here and register, like this forum its free. Be sure to use the same username your using here

Once your registered than post in there windows forum, you can link them to this thread so they can see what we have done
http://forums.whatthetech.com/index.php?showforum=119


I can follow along and see how its going, good luck

Ken :)

Hi Ken,

Success!! :laugh: Thank you, thank you!

Removing Sybot fixed the runtime error 216. I am able to access and use the functions of explorer.exe. I still have the RUNDLL error but I will research it and post to the Windows forum, if needed.

I did create a restore point before I attempt to install Spybot again.

Thanks for all your help with this!! It is so much appreciated!!

Jess

Your very welcome Jess :)



We need to update your Java to keep you more secure

Go to your Control Panel and click on the Java Icon ( looks like a little coffee cup ) click on About and you should have Version 7 Update 45, if not proceed with the instructions.

Go to the update Tab and update it
Important, during the upgrade UNCHECK ASK TOOL BAR. ( you do not need or want this )

Then go to your Add Remove Programs (WIN XP) or Programs and Features (Vista / Win 7) in the Control Panel and uninstall all previous versions.


You can verify the installation Here (http://www.java.com/en/download/help/testvm.xml)






Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.


http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png




Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups, any programs that where not removed you can just drag to the trash.


Malwarebytes is the free version and yours to keep and will not be removed



How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/index.php?showtopic=57817)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Safe Surfn
Ken

Ken,

Just wanted to give a quick update ...

I've upgraded all my outdated software, re-installed Spybot and everything is running GREAT!! No runtime errors with explorer.exe or Spybot.

Thanks again for your assistance with my problem!! Couldn't have done it without you!
Thank you, thank you, thank you!!!

Sincerely,
Jess

Your very welcome Jess, so glad things are running back to normal for you :)

Some info about Windows XP that you may find interesting
http://techpageone.dell.com/technology/windows-xp-end-road/?dgc=BA&cid=272099&lid=5049884&acd=12309189674467600#.Uq9JO_RDtL1

Take Care

Ken :)

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.