Trojan that deletes AV software

Status
Not open for further replies.
W

wmbeyer

New member
Well, It doesn't delete software, but it removes icons, and shuts down the computer when I try to run Malware Bytes or Spyware Doctor.

My son has contracted a virus while surfing porn. Apparently he downloaded combofix a couple of weeks ago. It will not run, or so he says. I tried to delete it, but it is set in Read Only and I cannot change that. Also, I downloaded Malwarebytes and attempted to run it. But, it only atarts to run than shuts down.

Lastly, I ran a program called Trojan Hunter on it. The virus does not seem to recognize this program as a threat, but it does not remove this virus. It removed files from Epson printer, Sunbelt Viper AV (expired), Java, System restore which is currently turned off and will not open, Adobe, spyware Dr., Combo Fix, and c:\32788R22FWJFW that cannot be deleted. This file was created when the virus took control.

What can I do from here, especially since he used Combofix and now can't?

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.11
Run by Owner at 21:41:49 on 2011-09-22
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1535.1044 [GMT -4:00]
.
AV: Sunbelt VIPRE *Enabled/Outdated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Sunbelt VIPRE *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\2556528678:3648495207.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/?s=https&r0=1276167334
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
mWindow Title =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~2\tools\iesdsg.dll
BHO: PCTools Browser Monitor: {b56a7d7d-6927-48c8-a975-17df180c71ac} - c:\progra~1\spywar~2\tools\iesdpb.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [PopUpStopperFreeEdition] c:\progra~1\panicw~1\pop-up~1\PSFree.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
uPolicies-explorer: NoRecentDocsNetHood = 01000000
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021} - c:\progra~1\spywar~2\tools\iesdpb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
Trusted Zone: att.net\webauth
Trusted Zone: fortunerep.com\www
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com\download
TCP: DhcpNameServer = 192.168.60.2 192.168.60.3 192.168.0.1
TCP: Interfaces\{60578A1D-F672-4C15-B767-65A2E2E0CF00} : DhcpNameServer = 192.168.60.2 192.168.60.3 192.168.0.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 ikhfile;File Security Kernel Anti-Spyware Driver;c:\windows\system32\drivers\ikhfile.sys [2007-2-24 30592]
R1 ikhlayer;Kernel Anti-Spyware Driver;c:\windows\system32\drivers\ikhlayer.sys [2007-2-24 51072]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2010-5-12 13400]
R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2005-6-3 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2005-6-3 3904]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-5-12 69720]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-10 99376]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\photoshopelementsfileagent.exe --> c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [?]
S2 mrtRate;mrtRate; [x]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2005-6-3 1251720]
.
=============== Created Last 30 ================
.
2011-09-23 01:09:04 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-23 01:09:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-22 03:53:35 -------- d-----w- C:\ComboFix
2011-09-22 03:42:05 46080 ---ha-w- c:\windows\system32\dwwigpwd.dll
2011-09-18 07:34:37 -------- d-----w- c:\program files\CafeScribe Offline
2011-09-05 17:04:56 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-08-17 20:23:26 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-28 05:41:03 411 -c--a-w- c:\windows\system.tmp
2011-06-26 06:45:56 256000 ----a-w- c:\windows\PEV.exe
2006-11-21 23:51:54 774144 -c--a-w- c:\program files\RngInterstitial.dll
.
============= FINISH: 21:42:14.92 ===============
 
Hi and Welcome!! :) My name is Jeff. I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Watch Topic button to the right of your topic title and then choosing the notification method ( Recommended: Inmediate Notification)
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.
Doing so could make your system inoperable and could require a full reinstall of your OS losing all your programs and data.

Vista and Windows 7 users:
These tools MUST be run from the executable (.exe) every time you run them
with Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.
----------

RKill

Print out these instructions as we may need to close every window that is open later in the fix.


It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

Do not reboot your computer after running rkill as the malware programs will start again.

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 5 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.
  1. rkill.exe
  2. rkill.com
  3. rkill.scr
  4. WiNlOgOn.exe
  5. uSeRiNiT.exe

Do not reboot your computer after running rkill as the malware programs will start again.
----------

gmer_zip.gif

Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.
----------

Please download aswMBR to your desktop.

  • Double click the aswMBR icon to run it.
    Vista and Windows 7 users right click the icon and choose "Run as administrator".
  • Click the Scan button to start scan.
  • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.


Click the image to enlarge it
---------

In your next reply please post the logs that were created by GMER and aswMBR. :)
 
Hello Jeff, I cannot find any button to subscribe to, so I assume that I have already done that . My son continued to try to "fix" it after I posted to you. He renamed the combofix program and ran it. Them he downloaded a trial virsion of Viper and then deleated that program, then ran Combofix again. I have included that stuff and took away his access to the computer until you do what ever you do. I am sorry, it seriously pisses me off that he kept screwing with it. Nothing else will be done on this computer until you give the all clear. Anyway, here are the two logs from his actions, and what I did as per your directions.

1st run;
ComboFix 11-09-22.04 - Owner 09/22/2011 23:01:27.18.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1535.1218 [GMT -4:00]
Running from: H:\vageta.com
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB47343$\1831806209
c:\windows\$NtUninstallKB47343$\646472088\@
c:\windows\$NtUninstallKB47343$\646472088\click.tlb
c:\windows\$NtUninstallKB47343$\646472088\L\qaejgnvm
c:\windows\$NtUninstallKB47343$\646472088\loader.tlb
c:\windows\$NtUninstallKB47343$\646472088\U\@00000001
c:\windows\$NtUninstallKB47343$\646472088\U\@000000c0
c:\windows\$NtUninstallKB47343$\646472088\U\@000000cb
c:\windows\$NtUninstallKB47343$\646472088\U\@000000cf
c:\windows\$NtUninstallKB47343$\646472088\U\@80000000
c:\windows\$NtUninstallKB47343$\646472088\U\@800000c0
c:\windows\$NtUninstallKB47343$\646472088\U\@800000cb
c:\windows\$NtUninstallKB47343$\646472088\U\@800000cf
c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}
c:\windows\system32\
c:\windows\system32\c_27642.nls
c:\windows\system32\dwwigpwd.dll
c:\windows\system32\ikhcore.log
c:\windows\$NtUninstallKB47343$ . . . . Failed to delete
.
Infected copy of c:\windows\system32\drivers\mrxsmb.sys was found and disinfected
Restored copy from - The cat found it :)
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_26886198
.
.
((((((((((((((((((((((((( Files Created from 2011-08-23 to 2011-09-23 )))))))))))))))))))))))))))))))
.
.
2011-09-23 01:09 . 2011-09-23 01:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-23 01:09 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-18 07:34 . 2011-09-18 07:34 -------- d-----w- c:\program files\CafeScribe Offline
2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-17 20:23 . 2011-06-13 23:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-28 05:41 . 2007-02-25 00:44 411 -c--a-w- c:\windows\system.tmp
2006-11-21 23:51 . 2006-11-21 23:52 774144 -c--a-w- c:\program files\RngInterstitial.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 536576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PopUpStopperFreeEdition"=c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HotKeysCmds"=c:\windows\System32\hkcmd.exe
"hpsysdrv"=c:\windows\system\hpsysdrv.exe
"KBD"=c:\hp\KBD\KBD.EXE
"LTMSG"=LTMSG.exe 7
"Recguard"=c:\windows\SMINST\RECGUARD.EXE
"THGuard"="c:\program files\TrojanHunter 5.3\THGuard.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\ccpm_0237.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [5/12/2010 11:21 PM 13400]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [6/3/2005 3:02 AM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [6/3/2005 3:02 AM 3904]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [5/12/2010 11:21 PM 69720]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/10/2008 10:59 PM 99376]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe --> c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [?]
S2 mrtRate;mrtRate; [x]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 8:20 AM 12648]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?s=https&r0=1276167334
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
mWindow Title =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: att.net\webauth
Trusted Zone: fortunerep.com\www
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com\download
TCP: DhcpNameServer = 192.168.60.2 192.168.60.3 192.168.0.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-22 23:10
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1730167982-1273179249-2621698179-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(5212)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Windows Media Player\WMPNetwk.exe
.
**************************************************************************
.
Completion time: 2011-09-22 23:13:48 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-23 03:13
ComboFix2.txt 2011-09-18 01:28
ComboFix3.txt 2011-09-17 04:37
ComboFix4.txt 2011-07-28 02:23
ComboFix5.txt 2011-09-23 02:57
.
Pre-Run: 135,259,607,040 bytes free
Post-Run: 135,262,322,688 bytes free
.
- - End Of File - - 4C0058722841913A6D0CC11673ADE04B

2nd run;

ComboFix 11-09-22.04 - Administrator 09/23/2011 0:02.19.1 - x86 NETWORK
Running from: H:\vageta.com
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\ikhcore.log
.
.
((((((((((((((((((((((((( Files Created from 2011-08-23 to 2011-09-23 )))))))))))))))))))))))))))))))
.
.
2011-09-23 03:11 . 2011-09-23 03:27 -------- d-----w- c:\windows\LastGood
2011-09-23 01:09 . 2011-09-23 01:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-23 01:09 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-18 07:34 . 2011-09-18 07:34 -------- d-----w- c:\program files\CafeScribe Offline
2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-17 20:23 . 2011-06-13 23:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-28 05:41 . 2007-02-25 00:44 411 -c--a-w- c:\windows\system.tmp
2006-11-21 23:51 . 2006-11-21 23:52 774144 -c--a-w- c:\program files\RngInterstitial.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
Cryptography Services Error !!
.
((((((((((((((((((((((((((((( SnapShot@2011-09-23_03.10.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-12-15 02:11 . 2004-10-14 16:36 21504 c:\windows\$hf_mig$\KB885835\update\spcustom.dll
+ 2004-12-15 02:11 . 2004-10-14 15:36 21504 c:\windows\$hf_mig$\KB885835\update\spcustom.dll
- 2004-12-15 02:11 . 2004-10-14 16:34 7168 c:\windows\$hf_mig$\KB885835\spmsg.dll
+ 2004-12-15 02:11 . 2004-10-14 15:34 7168 c:\windows\$hf_mig$\KB885835\spmsg.dll
+ 2011-09-23 03:27 . 2009-06-25 08:44 724480 c:\windows\LastGood\system32\lsasrv.dll
+ 2011-09-23 03:27 . 2006-05-05 09:47 174592 c:\windows\LastGood\system32\DRIVERS\rdbss.sys
+ 2011-09-23 03:27 . 2010-02-24 12:31 454016 c:\windows\LastGood\system32\DRIVERS\mrxsmb.sys
+ 2011-09-23 03:27 . 2006-05-05 09:47 174592 c:\windows\LastGood\system32\DllCache\rdbss.sys
+ 2011-09-23 03:27 . 2010-02-24 12:31 454016 c:\windows\LastGood\system32\DllCache\mrxsmb.sys
+ 2011-09-23 03:27 . 2009-06-25 08:44 724480 c:\windows\LastGood\system32\DllCache\lsasrv.dll
+ 2011-09-23 03:27 . 2010-02-24 12:31 454016 c:\windows\LastGood\Driver Cache\i386\mrxsmb.sys
+ 2011-09-23 03:27 . 2004-10-28 01:14 174592 c:\windows\LastGood\$hf_mig$\KB885835\SP2QFE\rdbss.sys
+ 2011-09-23 03:27 . 2004-10-28 01:15 448128 c:\windows\LastGood\$hf_mig$\KB885835\SP2QFE\mrxsmb.sys
+ 2011-09-23 03:27 . 2004-10-28 01:28 721920 c:\windows\LastGood\$hf_mig$\KB885835\SP2QFE\lsasrv.dll
- 2004-12-15 02:11 . 2004-10-14 16:34 654848 c:\windows\$hf_mig$\KB885835\update\update.exe
+ 2004-12-15 02:11 . 2004-10-14 15:34 654848 c:\windows\$hf_mig$\KB885835\update\update.exe
- 2004-12-15 02:11 . 2004-10-14 16:36 169984 c:\windows\$hf_mig$\KB885835\spuninst.exe
+ 2004-12-15 02:11 . 2004-10-14 15:36 169984 c:\windows\$hf_mig$\KB885835\spuninst.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"RecordNow!"=
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HotKeysCmds"=c:\windows\System32\hkcmd.exe
"hpsysdrv"=c:\windows\system\hpsysdrv.exe
"KBD"=c:\hp\KBD\KBD.EXE
"LTMSG"=LTMSG.exe 7
"Recguard"=c:\windows\SMINST\RECGUARD.EXE
"THGuard"="c:\program files\TrojanHunter 5.3\THGuard.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\ccpm_0237.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2010-01-04 13400]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [x]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 3904]
R2 mrtRate;mrtRate; [x]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-01-04 69720]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-02 99376]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2009-06-17 12648]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - klmd21
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
mWindow Title =
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.60.2 192.168.60.3 192.168.0.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-23 00:06
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-09-23 00:07:25
ComboFix-quarantined-files.txt 2011-09-23 04:07
ComboFix2.txt 2011-09-23 03:13
ComboFix3.txt 2011-09-18 01:28
ComboFix4.txt 2011-09-17 04:37
ComboFix5.txt 2011-09-23 04:00
.
Pre-Run: 136,840,933,376 bytes free
Post-Run: 136,824,389,632 bytes free
.
- - End Of File - - 3EDC079D124CB7BAF552A0EC9840B834

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 09/23/2011 at 20:16:44.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe


Rkill completed on 09/23/2011 at 20:16:47.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-23 23:22:35
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Maxtor_6Y160P0 rev.YAR41BW0
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fwldqpob.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xB982B340, 0xFFF7F, 0xF8000020]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF012300, 0x238C20, 0xF8000020]
? C:\DOCUME~1\Owner\LOCALS~1\Temp\aswMBR.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\internet explorer\iexplore.exe[2444] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2444] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 3E35203E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2444] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 3E351FBF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2444] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 3E352003 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2444] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 3E351F4B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2444] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 3E351F85 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2444] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 3E352079 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2444] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 3E20176A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2444] ole32.dll!OleLoadFromStream 7752A257 5 Bytes JMP 3E35223B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 35
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\CurrentControlSet\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\CurrentControlSet\Services\MRxDAV\EncryptedDirectories@
Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2
Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 35
Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\ControlSet004\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256

---- EOF - GMER 1.0.15 ----

swMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-23 23:22:52
-----------------------------
23:22:52.500 OS Version: Windows 5.1.2600 Service Pack 2
23:22:52.500 Number of processors: 1 586 0x408
23:22:52.500 ComputerName: BILLSR UserName: Owner
23:22:52.953 Initialize success
23:23:07.093 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
23:23:07.093 Disk 0 Vendor: Maxtor_6Y160P0 YAR41BW0 Size: 156334MB BusType: 3
23:23:09.109 Disk 0 MBR read successfully
23:23:09.109 Disk 0 MBR scan
23:23:09.109 Disk 0 unknown MBR code
23:23:09.125 Disk 0 scanning sectors +320150880
23:23:09.406 Disk 0 scanning C:\WINDOWS\system32\drivers
23:23:53.421 Service scanning
23:23:54.312 Modules scanning
23:24:50.203 Disk 0 trace - called modules:
23:24:50.250 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
23:24:50.250 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a1eaab8]
23:24:50.250 3 CLASSPNP.SYS[ba0e905b] -> nt!IofCallDriver -> \Device\00000064[0x8a25b280]
23:24:50.250 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a1d8940]
23:24:50.750 Scan finished successfully
23:25:36.546 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
23:25:36.546 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"
 
Hi wmbeyer,
I cannot find any button to subscribe to
Click to expand...
Sorry about that...look at the top of this topic and there is a button that says Thread Tools. Press that and then select Subscribe to this thread. That should do it. :)
----------

Thank you for the logs that I needed. Please do not do anything else with your system (especially running ComboFix as improper use of this tool can make your system completely inoperable) as this infection you have on your system is particularly nasty. Please read below...

**WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.

If you would like to continue with the cleaning please continue with the following instructions and I will be more than happy to help. :)
----------

I would like for you to run DDS once more and then post both of the logs created into your next reply so that I can get a fresh look at what your system looks like.
----------

Please delete the version of ComboFix that you have on your system by using Righ-click > Delete. Now download a fresh copy of ComboFix from here and save it directly to your Desktop. Go ahead and run ComboFix and when completed there will be a log that I will need you to post into your next reply.

In your next reply please post both of the logs created by DDS and the logs created by ComboFix. :)
 
both DDS and Combofix logs

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.11
Run by Owner at 1:08:26 on 2011-09-25
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1535.1134 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/?s=https&r0=1276167334
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
mWindow Title =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [PopUpStopperFreeEdition] c:\progra~1\panicw~1\pop-up~1\PSFree.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
uPolicies-explorer: NoRecentDocsNetHood = 01000000
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: att.net\webauth
Trusted Zone: fortunerep.com\www
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com\download
TCP: DhcpNameServer = 192.168.60.2 192.168.60.3 192.168.0.1
TCP: Interfaces\{60578A1D-F672-4C15-B767-65A2E2E0CF00} : DhcpNameServer = 192.168.60.2 192.168.60.3 192.168.0.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2005-6-3 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2005-6-3 3904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-10 99376]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7; [x]
S2 mrtRate;mrtRate; [x]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2005-6-3 1251720]
.
=============== Created Last 30 ================
.
2011-09-23 01:09:04 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-23 01:09:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-18 07:34:37 -------- d-----w- c:\program files\CafeScribe Offline
2011-09-05 17:04:56 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-08-17 20:23:26 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-28 05:41:03 411 -c--a-w- c:\windows\system.tmp
2006-11-21 23:51:54 774144 -c--a-w- c:\program files\RngInterstitial.dll
.
============= FINISH: 1:09:14.15 ===============

.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 4/2/2004 1:46:47 PM
System Uptime: 9/24/2011 2:20:05 PM (11 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | Diablo
Processor: AMD Athlon(tm) 64 Processor 3200+ | Socket 754 | 1994/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 148 GiB total, 125.666 GiB free.
D: is FIXED (FAT32) - 5 GiB total, 0.947 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP462: 9/16/2011 3:42:38 AM - System Checkpoint
RP463: 9/17/2011 12:44:20 AM - Made by Regsofts
RP464: 9/17/2011 12:48:57 AM - Made by Regsofts
RP465: 9/17/2011 10:49:24 PM - Made by Regsofts
RP466: 9/17/2011 10:53:14 PM - Made by Regsofts
RP467: 9/17/2011 10:55:46 PM - Made by Regsofts
RP468: 9/19/2011 1:44:26 AM - System Checkpoint
RP469: 9/20/2011 6:08:51 AM - System Checkpoint
RP470: 9/22/2011 1:05:23 AM - Removed VIPRE Antivirus Premium.
RP471: 9/22/2011 11:26:49 PM - Software Distribution Service 3.0
RP472: 9/23/2011 12:38:16 AM - Made by Regsofts
RP473: 9/23/2011 12:41:05 AM - Made by Regsofts
RP474: 9/23/2011 12:42:37 AM - Made by Regsofts
RP475: 9/23/2011 12:58:31 AM - Made by Regsofts
RP476: 9/23/2011 1:00:19 AM - Made by Regsofts
RP477: 9/23/2011 1:05:59 AM - Installed VIPRE Antivirus.
RP478: 9/23/2011 2:55:05 AM - Removed VIPRE Antivirus.
RP479: 9/24/2011 3:59:10 AM - System Checkpoint
.
==== Installed Programs ======================
.
.
Acrobat.com
Acronis*PrivacyExpert
Active@ Password Changer Professional
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Photoshop Album Starter Edition
Adobe Photoshop Elements 7.0
Adobe Photoshop.com Inspiration Browser
Adobe Reader X (10.1.1)
AiO_Scan
AIOMinimal
AiOSoftware
ArcSoft PhotoImpression 6
ArcSoft Print Creations
ArcSoft ShowBiz 2
ArcSoft Software Suite
CafeScribe Offline
Calculator Powertoy for Windows XP
CCleaner
CheckIt Diagnostics
Command & Conquer Generals
Command and ConquerTM Generals Zero Hour
Compaq Connections
Compatibility Pack for the 2007 Office system
Copy
CreativeProjects
Director
DocProc
Enhanced Multimedia Keyboard Solution
EPSON CX8400 User's Guide
EPSON Printer Software
EPSON Scan
EPSON Stylus CX8400 Series Scanner Driver Update
ERUNT 1.1j
Fax
Free Window Registry Repair
GdiplusUpgrade
GoToMeeting 4.1.0.366
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.0
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB954550-v5)
HP Deskjet Preloaded Printer Drivers
HP Photo & Imaging 3.1
HP Photo and Imaging 2.0 - Photosmart Cameras
HP PSC & OfficeJet 3.0
HP Update
hpmdtab
HpSdpAppCoreApp
HPSystemDiagnostics
InstantShare
Intel(R) Extreme Graphics Driver
IntelliMover Data Transfer Demo
InterActual Player
InterVideo WinDVD Player
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
Java 2 Runtime Environment, SE v1.4.2
Java 2 Runtime Environment, SE v1.4.2_06
Java 2 Runtime Environment, SE v1.4.2_18
Java Auto Updater
Java(TM) 6 Update 20
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Macromedia Shockwave Player
Mah Jong Tiles Deluxe
Malwarebytes' Anti-Malware version 1.51.2.1300
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Baseline Security Analyzer 1.2.1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office Access 2003
Microsoft Office PowerPoint 2003 Template Creation Wizard
Microsoft Office PowerPoint 2003 Template Pack 1
Microsoft Office PowerPoint 2003 Template Pack 2
Microsoft Office PowerPoint 2003 Template Pack 3
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition
Microsoft Producer for Microsoft Office PowerPoint 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
MS Access 97 SP2
MSN Music Assistant
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
MyScribe
NVIDIA Drivers
NVIDIA Windows 2000/XP Display Drivers
PC-Doctor for Windows
PerformanceTest v5.0
PhotoGallery
PhotoshopdotcomInspirationBrowser
Photosmart 140,240,7200,7600,7700,7900 Series
Pop-Up Stopper Free Edition
PrintScreen
Professor Answers
Professor Teaches Excel 2003
Professor Teaches PowerPoint 2003
Professor Teaches Word 2003
PS2
PSShortcutsP
Python 2.2 combined Win32 extensions
Python 2.2.1
QFolder
Quicken 2004
QuickProjects
Readme
RealPlayer
RecordNow!
RegCure
Registrar Registry Manager 4.03
Registrar Registry Manager 4.03 (Lite Edition)
Scan
Secunia PSI
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Series 6 Drill and Practice
SkinsHP1
SkinsHP2
Sonic Update Manager
Spybot - Search & Destroy
Sybase SQL Anywhere 7 Personal Server
Symantec KB-DocID:2003093015493306
System Security Suite 1.04
Top Comp Calculator
TrayApp
TrojanHunter 5.3
Tweak UI
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Viewpoint Media Player (Remove Only)
Virtual Magnifying Glass v3.4
WebFldrs XP
WebReg
Westell Firmware Upgrade
Westwood Shared Internet Components
Windows Defender Signatures
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 2
WinPatrol 2009
Zone Deluxe Games
.
==== Event Viewer Messages From Past Week ========
.
9/23/2011 12:55:09 AM, error: Service Control Manager [7000] - The PC Tools Spyware Doctor service failed to start due to the following error: The system cannot find the path specified.
9/23/2011 12:55:09 AM, error: Service Control Manager [7000] - The NVIDIA Driver Helper Service service failed to start due to the following error: The system cannot find the path specified.
9/23/2011 12:55:09 AM, error: Service Control Manager [7000] - The Java Quick Starter service failed to start due to the following error: The system cannot find the path specified.
9/23/2011 12:55:09 AM, error: Service Control Manager [7000] - The EPSON V3 Service4(01) service failed to start due to the following error: The system cannot find the path specified.
9/22/2011 9:58:13 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
9/22/2011 9:57:13 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
9/22/2011 9:48:19 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
9/22/2011 9:48:05 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SBRE
9/22/2011 9:47:59 AM, error: Service Control Manager [7000] - The PC Tools Spyware Doctor service failed to start due to the following error: The system cannot find the file specified.
9/22/2011 9:47:59 AM, error: Service Control Manager [7000] - The nVidia WDM Video Capture (universal) service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
9/22/2011 9:47:59 AM, error: Service Control Manager [7000] - The nVidia WDM A/V Crossbar service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
9/22/2011 9:47:59 AM, error: Service Control Manager [7000] - The NVIDIA Driver Helper Service service failed to start due to the following error: The system cannot find the file specified.
9/22/2011 9:47:59 AM, error: Service Control Manager [7000] - The mrtRate service failed to start due to the following error: The system cannot find the file specified.
9/22/2011 9:47:59 AM, error: Service Control Manager [7000] - The Java Quick Starter service failed to start due to the following error: The system cannot find the file specified.
9/22/2011 9:47:59 AM, error: Service Control Manager [7000] - The EPSON V3 Service4(01) service failed to start due to the following error: The system cannot find the file specified.
9/22/2011 9:06:29 PM, error: WMPNetworkSvc [14322] - Service 'WMPNetworkSvc' did not start correctly because MFStartup encountered error '0xc00d36ef'. If possible, reinstall Windows Media Player.
9/22/2011 5:54:08 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
9/22/2011 4:46:44 PM, error: Dhcp [1002] - The IP address lease 192.168.54.1 for the Network Card with network address 000EA664C943 has been denied by the DHCP server 192.168.54.254 (The DHCP Server sent a DHCPNACK message).
9/22/2011 3:55:05 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
9/22/2011 12:58:20 AM, error: Service Control Manager [7000] - The SB Recovery Service service failed to start due to the following error: The system cannot find the file specified.
9/22/2011 12:55:52 AM, error: Service Control Manager [7034] - The SB Recovery Service service terminated unexpectedly. It has done this 1 time(s).
9/22/2011 12:55:52 AM, error: Service Control Manager [7034] - The NVIDIA Driver Helper Service service terminated unexpectedly. It has done this 1 time(s).
9/22/2011 12:55:52 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
9/22/2011 12:55:52 AM, error: Service Control Manager [7034] - The EPSON V3 Service4(01) service terminated unexpectedly. It has done this 1 time(s).
9/22/2011 12:55:52 AM, error: Service Control Manager [7034] - The Adobe Active File Monitor V7 service terminated unexpectedly. It has done this 1 time(s).
9/22/2011 11:00:53 PM, error: Service Control Manager [7023] - The Workstation service terminated with the following error: The system cannot find the file specified.
9/22/2011 11:00:53 PM, error: Service Control Manager [7001] - The Computer Browser service depends on the Workstation service which failed to start because of the following error: The system cannot find the file specified.
9/22/2011 11:00:53 PM, error: Service Control Manager [7001] - The Alerter service depends on the Workstation service which failed to start because of the following error: The system cannot find the file specified.
9/22/2011 10:01:50 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
9/22/2011 1:04:25 AM, error: Service Control Manager [7000] - The VIPRE Antivirus Premium service failed to start due to the following error: Access is denied.
9/22/2011 1:04:25 AM, error: DCOM [10005] - DCOM got error "%5" attempting to start the service SBAMSvc with arguments "" in order to run the server: {FE7E09CE-BBF4-4698-8BC1-37C9002DAA43}
9/21/2011 11:50:58 PM, error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
9/21/2011 11:46:37 PM, error: Service Control Manager [7034] - The VIPRE Antivirus Premium service terminated unexpectedly. It has done this 1 time(s).
.
==== End Of File ===========================

ComboFix 11-09-24.04 - Owner 09/25/2011 1:12.22.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1535.1157 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Security 6-23\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-08-25 to 2011-09-25 )))))))))))))))))))))))))))))))
.
.
2011-09-23 04:09 . 2011-09-23 04:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-09-23 01:09 . 2011-09-23 01:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-23 01:09 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-18 07:34 . 2011-09-18 07:34 -------- d-----w- c:\program files\CafeScribe Offline
2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-17 20:23 . 2011-06-13 23:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-28 05:41 . 2007-02-25 00:44 411 -c--a-w- c:\windows\system.tmp
2006-11-21 23:51 . 2006-11-21 23:52 774144 -c--a-w- c:\program files\RngInterstitial.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 536576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PopUpStopperFreeEdition"=c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HotKeysCmds"=c:\windows\System32\hkcmd.exe
"hpsysdrv"=c:\windows\system\hpsysdrv.exe
"KBD"=c:\hp\KBD\KBD.EXE
"LTMSG"=LTMSG.exe 7
"Recguard"=c:\windows\SMINST\RECGUARD.EXE
"THGuard"="c:\program files\TrojanHunter 5.3\THGuard.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\ccpm_0237.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [6/3/2005 3:02 AM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [6/3/2005 3:02 AM 3904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/10/2008 10:59 PM 99376]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7; [x]
S2 mrtRate;mrtRate; [x]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 8:20 AM 12648]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?s=https&r0=1276167334
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
mWindow Title =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: att.net\webauth
Trusted Zone: fortunerep.com\www
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com\download
TCP: DhcpNameServer = 192.168.60.2 192.168.60.3 192.168.0.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-25 01:16
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1730167982-1273179249-2621698179-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1620)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-09-25 01:18:05
ComboFix-quarantined-files.txt 2011-09-25 05:18
ComboFix2.txt 2011-09-23 07:50
ComboFix3.txt 2011-09-23 06:52
ComboFix4.txt 2011-09-23 04:07
ComboFix5.txt 2011-09-25 05:11
.
Pre-Run: 134,915,289,088 bytes free
Post-Run: 134,898,909,184 bytes free
.
- - End Of File - - 4C6C650ABF98AB844A4C3EA30C264A15
 
Hi wmbeyer,

Please disable WinPatrol

  • Right click on the "Scotty Dog" icon in your system tray and select "Exit Program".
----------

Go to Start > Control Panel > Add/Remove Programs > delete this -->Viewpoint Media Player
----------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DDS::
Trusted Zone: att.net\webauth
Trusted Zone: fortunerep.com\www
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com\download

File::
c:\windows\system32\drivers\sbredrv.sys
c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe

Driver::
SBRE
AdobeActiveFileMonitor7.0
mrtRate
Symantec Core LC
Click to expand...

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
----------
 
applied script and re-ran Combofix

Hello Jeff, I had to work today, so I am a little late getting back to you. I have done as you asked. Thanks


ComboFix 11-09-26.01 - Owner 09/26/2011 1:28.23.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1535.1145 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Security 6-23\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\Security 6-23\CFScript.txt
.
FILE ::
"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe"
"c:\windows\system32\drivers\sbredrv.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ADOBEACTIVEFILEMONITOR7.0
-------\Legacy_MRTRATE
-------\Legacy_SBRE
-------\Legacy_SYMANTEC_CORE_LC
-------\Service_AdobeActiveFileMonitor7.0
-------\Service_mrtRate
-------\Service_SBRE
-------\Service_Symantec Core LC
.
.
((((((((((((((((((((((((( Files Created from 2011-08-26 to 2011-09-26 )))))))))))))))))))))))))))))))
.
.
2011-09-23 04:09 . 2011-09-23 04:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-09-23 01:09 . 2011-09-23 01:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-23 01:09 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-18 07:34 . 2011-09-18 07:34 -------- d-----w- c:\program files\CafeScribe Offline
2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-17 20:23 . 2011-06-13 23:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-28 05:41 . 2007-02-25 00:44 411 -c--a-w- c:\windows\system.tmp
2006-11-21 23:51 . 2006-11-21 23:52 774144 -c--a-w- c:\program files\RngInterstitial.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 536576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PopUpStopperFreeEdition"=c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HotKeysCmds"=c:\windows\System32\hkcmd.exe
"hpsysdrv"=c:\windows\system\hpsysdrv.exe
"KBD"=c:\hp\KBD\KBD.EXE
"LTMSG"=LTMSG.exe 7
"Recguard"=c:\windows\SMINST\RECGUARD.EXE
"THGuard"="c:\program files\TrojanHunter 5.3\THGuard.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\ccpm_0237.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [6/3/2005 3:02 AM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [6/3/2005 3:02 AM 3904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/10/2008 10:59 PM 99376]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 8:20 AM 12648]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?s=https&r0=1276167334
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
mWindow Title =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.60.2 192.168.60.3 192.168.0.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-26 01:35
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1730167982-1273179249-2621698179-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4060)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Windows Media Player\WMPNetwk.exe
.
**************************************************************************
.
Completion time: 2011-09-26 01:38:46 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-26 05:38
ComboFix2.txt 2011-09-25 05:18
ComboFix3.txt 2011-09-23 07:50
ComboFix4.txt 2011-09-23 06:52
ComboFix5.txt 2011-09-26 05:28
.
Pre-Run: 134,899,621,888 bytes free
Post-Run: 134,883,454,976 bytes free
.
- - End Of File - - 6F9BCFA088F25248BECE30AD7C97E84F
 
Hi wmbeyer,

I had to work today, so I am a little late getting back to you.
Click to expand...
It is not a problem at all. If you need more time just let me know and I can keep the topic open. :)
----------

1. Close any open browsers.

2. Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DDS::
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com

RegNull::
[HKEY_USERS\S-1-5-21-1730167982-1273179249-2621698179-1003\Software\Microsoft\SystemCertificates\AddressBook*]
Click to expand...

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
 
I'll be here every day

No need to delay. i just won't have the ability to answer as fast as i get e-mail. Anyway, on the desk top I now have an icon with a small windows media player arrow on it called MBR.dat that was not there before. In addition, the hijack this is no longer an icon with the dynamite. Should this be deleted?

Here is the log after running your last script.
ComboFix 11-09-26.02 - Owner 09/26/2011 20:33:21.24.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1535.1164 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Security 6-23\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\Security 6-23\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-08-27 to 2011-09-27 )))))))))))))))))))))))))))))))
.
.
2011-09-23 04:09 . 2011-09-23 04:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-09-23 01:09 . 2011-09-23 01:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-23 01:09 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-18 07:34 . 2011-09-18 07:34 -------- d-----w- c:\program files\CafeScribe Offline
2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-17 20:23 . 2011-06-13 23:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2006-11-21 23:51 . 2006-11-21 23:52 774144 -c--a-w- c:\program files\RngInterstitial.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 536576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PopUpStopperFreeEdition"=c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HotKeysCmds"=c:\windows\System32\hkcmd.exe
"hpsysdrv"=c:\windows\system\hpsysdrv.exe
"KBD"=c:\hp\KBD\KBD.EXE
"LTMSG"=LTMSG.exe 7
"Recguard"=c:\windows\SMINST\RECGUARD.EXE
"THGuard"="c:\program files\TrojanHunter 5.3\THGuard.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\ccpm_0237.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [6/3/2005 3:02 AM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [6/3/2005 3:02 AM 3904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/10/2008 10:59 PM 99376]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 8:20 AM 12648]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?s=https&r0=1276167334
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
mWindow Title =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.60.2 192.168.60.3 192.168.0.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-26 20:38
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1730167982-1273179249-2621698179-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1736)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-09-26 20:39:35
ComboFix-quarantined-files.txt 2011-09-27 00:39
ComboFix2.txt 2011-09-26 05:38
ComboFix3.txt 2011-09-25 05:18
ComboFix4.txt 2011-09-23 07:50
ComboFix5.txt 2011-09-27 00:32
.
Pre-Run: 134,852,968,448 bytes free
Post-Run: 134,837,501,952 bytes free
.
- - End Of File - - 81BD00C1E0AB19BD6FAD273F6EB28638
 
on the desk top I now have an icon with a small windows media player arrow on it called MBR.dat that was not there before. In addition, the hijack this is no longer an icon with the dynamite. Should this be deleted?
Click to expand...
No those are fine. :) I will be back soon with what to do next.
 
Hi wmbeyer,

c:\documents and settings\Owner\Desktop\Security 6-23\ComboFix.exe
Click to expand...
I notice that you have a folder on your Desktop that you are run ComboFix from? If you would, please go ahead and just move the ComboFix icon directly onto your Desktop.
----------

Lets rerun the previous step with ComboFix...

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DDS::
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com

REGNULL::
[HKEY_USERS\S-1-5-21-1730167982-1273179249-2621698179-1003\Software\Microsoft\SystemCertificates\AddressBook*]
Click to expand...

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe (it should be your Desktop now)


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
----------
 
on the desk top

ComboFix 11-09-27.01 - Owner 09/27/2011 16:16:17.25.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1535.1175 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Security 6-23\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-08-27 to 2011-09-27 )))))))))))))))))))))))))))))))
.
.
2011-09-23 04:09 . 2011-09-23 04:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-09-23 01:09 . 2011-09-23 01:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-23 01:09 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-18 07:34 . 2011-09-18 07:34 -------- d-----w- c:\program files\CafeScribe Offline
2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-17 20:23 . 2011-06-13 23:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2006-11-21 23:51 . 2006-11-21 23:52 774144 -c--a-w- c:\program files\RngInterstitial.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 536576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PopUpStopperFreeEdition"=c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HotKeysCmds"=c:\windows\System32\hkcmd.exe
"hpsysdrv"=c:\windows\system\hpsysdrv.exe
"KBD"=c:\hp\KBD\KBD.EXE
"LTMSG"=LTMSG.exe 7
"Recguard"=c:\windows\SMINST\RECGUARD.EXE
"THGuard"="c:\program files\TrojanHunter 5.3\THGuard.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\ccpm_0237.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [6/3/2005 3:02 AM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [6/3/2005 3:02 AM 3904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/10/2008 10:59 PM 99376]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 8:20 AM 12648]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?s=https&r0=1276167334
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
mWindow Title =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.60.2 192.168.60.3 192.168.0.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-27 16:20
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1730167982-1273179249-2621698179-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1624)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-09-27 16:21:53
ComboFix-quarantined-files.txt 2011-09-27 20:21
ComboFix2.txt 2011-09-27 00:39
ComboFix3.txt 2011-09-26 05:38
ComboFix4.txt 2011-09-25 05:18
ComboFix5.txt 2011-09-27 20:14
.
Pre-Run: 134,831,136,768 bytes free
Post-Run: 134,815,825,920 bytes free
.
- - End Of File - - 52A294374B61979185CACB5C9B3E0C20
 
Hi wmbeyer,

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
      Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
 
OTL Text

OTL logfile created on: 9/28/2011 8:26:07 PM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 1.16 Gb Available Physical Memory | 77.32% Memory free
2.85 Gb Paging File | 2.72 Gb Available in Paging File | 95.31% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 147.51 Gb Total Space | 125.55 Gb Free Space | 85.11% Space Free | Partition Type: NTFS
Drive D: | 5.14 Gb Total Space | 0.95 Gb Free Space | 18.44% Space Free | Partition Type: FAT32
Drive H: | 7.53 Gb Total Space | 7.52 Gb Free Space | 99.81% Space Free | Partition Type: FAT32

Computer Name: BILLSR | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\ArcSoft\Software Suite\PhotoImpression 5\Share\PIHook.dll ()


========== Win32 Services (SafeList) ==========

SRV - (SDhelper) -- File not found
SRV - (NVSvc) -- File not found
SRV - (JavaQuickStarterService) -- File not found
SRV - (EPSON_PM_RPCV4_01) EPSON V3 Service4(01) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)


========== Driver Services (SafeList) ==========

DRV - (PSI) -- C:\WINDOWS\system32\drivers\psi_mf.sys (Secunia)
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (symlcbrd) -- C:\WINDOWS\system32\drivers\symlcbrd.sys (Symantec Corporation)
DRV - (Ps2) -- C:\WINDOWS\system32\drivers\PS2.sys (Hewlett-Packard Company)
DRV - (Afc) -- C:\WINDOWS\system32\drivers\afc.sys (Arcsoft, Inc.)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
DRV - (S3Psddr) -- C:\WINDOWS\system32\drivers\s3gnbm.sys (S3 Graphics, Inc.)
DRV - (MxlW2k) -- C:\WINDOWS\System32\drivers\MxlW2k.sys (MusicMatch, Inc.)
DRV - (AFS2K) -- C:\WINDOWS\System32\drivers\AFS2K.SYS (Oak Technology Inc.)
DRV - (snapman) -- C:\WINDOWS\System32\DRIVERS\snapman.sys (Acronis)
DRV - (MAPMEM) -- C:\Program Files\CheckIt\Diagnostics\MAPMEM.SYS ()
DRV - (BCMNTIO) -- C:\Program Files\CheckIt\Diagnostics\BCMNTIO.SYS ()
DRV - (nvnforce) Service for NVIDIA(R) nForce(TM) -- C:\WINDOWS\system32\drivers\nvapu.sys (NVIDIA Corporation)
DRV - (nvax) Service for NVIDIA(R) nForce(TM) -- C:\WINDOWS\system32\drivers\nvax.sys (NVIDIA Corporation)
DRV - (ltmodem5) -- C:\WINDOWS\system32\drivers\ltmdmnt.sys (Agere Systems)
DRV - (pfc) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (nv_agp) -- C:\WINDOWS\System32\DRIVERS\nv_agp.sys (NVIDIA Corporation)
DRV - (nvcap) nVidia WDM Video Capture (universal) -- C:\WINDOWS\system32\drivers\nvcap.sys ()
DRV - (NVXBAR) -- C:\WINDOWS\system32\drivers\nvxbar.sys (NVIDIA Corporation)
DRV - (viaagp1) -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys (VIA Technologies, Inc.)
DRV - (fasttx2k) -- C:\WINDOWS\System32\DRIVERS\fasttx2k.sys (Promise Technology, Inc.)
DRV - (SiS315) -- C:\WINDOWS\system32\drivers\sisgrp.sys (Silicon Integrated Systems Corporation)
DRV - (NVENET) -- C:\WINDOWS\system32\drivers\NVENET.sys (NVIDIA Corporation)
DRV - (SiSkp) -- C:\WINDOWS\system32\drivers\srvkp.sys (Silicon Integrated Systems Corporation)
DRV - (SISAGP) -- C:\WINDOWS\System32\DRIVERS\SISAGPX.sys (Silicon Integrated Systems Corporation)
DRV - (rtl8139) -- C:\WINDOWS\system32\drivers\R8139n51.sys (Realtek Semiconductor Corporation )
DRV - (Aspi32) -- C:\WINDOWS\System32\drivers\ASPI32.SYS (Adaptec)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?s=https&r0=1276167334
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.1879: C:\Program Files\Real\RealOne Player\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/npracplug;version=1.0.0.0: C:\Program Files\Real\RealArcade\Plugins\Mozilla\npracplug.dll (RealNetworks)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.2.1939: C:\Program Files\Real\RealOne Player\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.872: C:\Program Files\Real\RealOne Player\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



O1 HOSTS File: ([2011/09/26 01:35:02 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios)
O4 - HKCU..\Run: [PopUpStopperFreeEdition] C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe (Panicware, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsNetHood = 01 00 00 00 [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.60.2 192.168.60.3 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{60578A1D-F672-4C15-B767-65A2E2E0CF00}: DhcpNameServer = 192.168.60.2 192.168.60.3 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\My Documents\My Pictures\smile.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\My Documents\My Pictures\smile.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/10/11 06:16:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/28 06:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/09/28 20:24:41 | 000,582,656 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/09/28 20:18:47 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Recent
[2011/09/28 20:18:47 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/09/27 16:21:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/09/25 01:02:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\second logs
[2011/09/25 01:01:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\first logs
[2011/09/22 21:09:04 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/09/22 21:09:04 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/09/18 03:34:37 | 000,000,000 | ---D | C] -- C:\Program Files\CafeScribe Offline
[2011/09/18 02:52:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Ethics
[2011/09/18 02:51:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Biology
[2011/09/18 02:49:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Mangerial Accounting
[2011/09/18 02:48:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Business Calc
[2006/11/21 19:52:08 | 000,774,144 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll
[9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/09/28 20:24:45 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/09/28 19:09:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/09/28 19:09:05 | 1609,945,088 | -HS- | M] () -- C:\hiberfil.sys
[2011/09/27 16:11:10 | 000,000,617 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to ComboFix.exe.lnk
[2011/09/26 23:37:41 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Microsoft Office Word 2003.lnk
[2011/09/26 01:35:02 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/09/23 23:25:36 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MBR.dat
[2011/09/22 21:09:08 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/22 15:33:31 | 010,223,616 | ---- | M] () -- C:\Documents and Settings\Owner\ntuser.bak
[2011/09/21 03:50:39 | 000,001,538 | ---- | M] () -- C:\WINDOWS\System32\CountBlockedByFirewall.XML
[2011/09/18 03:34:37 | 000,000,738 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CafeScribe Offline.lnk
[2011/09/18 03:34:29 | 000,000,377 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\com.Follett.CafeScribe.Offline_state.xml
[2011/09/17 21:26:18 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110922-175058.backup
[2011/09/17 21:14:17 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\defogger_reenable
[2011/09/14 09:45:19 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/27 16:11:10 | 000,000,617 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to ComboFix.exe.lnk
[2011/09/23 23:25:36 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MBR.dat
[2011/09/23 00:34:34 | 1609,945,088 | -HS- | C] () -- C:\hiberfil.sys
[2011/09/22 22:58:45 | 000,454,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\mrxsmb.svs
[2011/09/22 21:09:08 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/18 03:34:29 | 000,000,377 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\com.Follett.CafeScribe.Offline_state.xml
[2011/09/17 21:14:17 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\defogger_reenable
[2011/07/27 22:14:01 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/07/27 22:14:01 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/07/27 22:14:01 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/07/27 22:14:01 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/07/27 22:14:01 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/07/27 21:52:50 | 000,012,084 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\306m286c3ht12fbhr40333q55j27e0i1ue06
[2011/07/27 21:52:50 | 000,012,084 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\306m286c3ht12fbhr40333q55j27e0i1ue06
[2011/07/13 03:00:59 | 000,013,004 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\d8cuhn4b277pj1vnbjoj5h37u7j
[2011/07/13 03:00:59 | 000,013,004 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\d8cuhn4b277pj1vnbjoj5h37u7j
[2011/06/14 19:16:43 | 000,013,764 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\o65qw5qxmp45w71w2010773
[2011/06/14 19:16:43 | 000,013,764 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\o65qw5qxmp45w71w2010773
[2011/06/05 17:16:40 | 000,012,054 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\8f2gvu11wnj076224dw377dm
[2011/06/05 17:16:40 | 000,012,054 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\8f2gvu11wnj076224dw377dm
[2011/05/17 23:34:21 | 000,000,208 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\m2647CgIbCbK8588
[2011/02/15 19:44:56 | 000,000,064 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Statdisk.prefs
[2010/05/14 01:32:39 | 000,000,035 | ---- | C] () -- C:\WINDOWS\worldbuilder.INI
[2010/05/07 10:29:01 | 000,000,107 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\netstat.bat
[2010/04/20 23:03:36 | 000,059,392 | R--- | C] () -- C:\WINDOWS\System32\streamhlp.dll
[2009/09/11 10:57:10 | 000,001,152 | ---- | C] () -- C:\WINDOWS\System32\windrv.sys
[2009/09/10 03:07:16 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/06/17 22:38:18 | 000,031,053 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern131.dat
[2008/06/17 22:38:18 | 000,027,417 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern121.dat
[2008/06/17 22:36:27 | 000,000,044 | ---- | C] () -- C:\WINDOWS\EPCX8400.ini
[2008/02/28 15:30:08 | 000,008,784 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2007/03/05 13:34:28 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/01/15 00:01:25 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2006/04/13 00:57:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2006/04/11 19:36:11 | 000,000,206 | ---- | C] () -- C:\WINDOWS\HPGdiPlus.ini
[2006/03/09 19:58:24 | 000,112,640 | ---- | C] () -- C:\WINDOWS\System32\rrsec.dll
[2006/03/09 19:58:24 | 000,090,151 | ---- | C] () -- C:\WINDOWS\System32\rrsec2k.exe
[2006/03/08 23:46:46 | 000,015,872 | ---- | C] () -- C:\WINDOWS\System32\drivers\AdFirewall.SYS
[2006/02/13 22:38:41 | 000,007,512 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/02/13 22:38:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2005/06/06 15:01:41 | 000,004,156 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2005/06/02 19:32:41 | 000,164,864 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[2005/06/02 19:32:25 | 000,205,312 | R--- | C] () -- C:\WINDOWS\pw32a.dll
[2005/06/02 11:50:42 | 000,021,021 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
[2005/06/02 11:50:42 | 000,015,670 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
[2005/06/02 11:50:42 | 000,010,673 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
[2005/06/02 11:50:42 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
[2005/06/02 11:50:42 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
[2005/06/02 11:50:42 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
[2005/06/02 11:50:42 | 000,001,137 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
[2005/06/02 11:50:42 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
[2005/06/02 11:50:42 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
[2005/06/02 11:50:42 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
[2005/05/09 20:16:57 | 000,071,749 | ---- | C] () -- C:\WINDOWS\hcextoutput.dll
[2005/05/09 20:16:57 | 000,000,823 | ---- | C] () -- C:\WINDOWS\tsc.ini
[2005/05/09 20:15:50 | 000,000,170 | ---- | C] () -- C:\WINDOWS\GetServer.ini
[2005/03/23 22:58:46 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2005/01/02 19:44:42 | 000,000,021 | ---- | C] () -- C:\WINDOWS\PI_setup.ini
[2005/01/02 19:44:29 | 000,073,220 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
[2005/01/02 19:44:29 | 000,013,280 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
[2005/01/02 19:44:29 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2005/01/02 19:44:28 | 000,029,114 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
[2005/01/02 19:37:44 | 000,000,044 | ---- | C] () -- C:\WINDOWS\EPCX4600.ini
[2005/01/02 00:32:24 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2004/11/29 19:58:20 | 000,000,051 | ---- | C] () -- C:\WINDOWS\iTouch.ini
[2004/09/27 09:16:55 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/07/21 21:50:11 | 000,000,027 | ---- | C] () -- C:\WINDOWS\FTSL.INI
[2004/07/06 10:23:45 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/06/19 14:38:22 | 000,000,395 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2004/06/19 13:52:43 | 000,000,744 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2004/06/16 17:59:28 | 000,142,336 | ---- | C] () -- C:\WINDOWS\System32\faboot.exe
[2004/05/10 20:55:25 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A6W.INI
[2004/05/10 20:55:19 | 000,002,140 | ---- | C] () -- C:\WINDOWS\AWSHKWV.INI
[2004/04/02 22:49:59 | 000,001,402 | ---- | C] () -- C:\WINDOWS\eReg.dat
[2004/04/02 22:23:52 | 000,000,022 | ---- | C] () -- C:\WINDOWS\kodakpcd.Owner.ini
[2004/04/02 16:55:09 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2004/04/02 16:52:22 | 000,037,888 | ---- | C] () -- C:\WINDOWS\System32\setupnt.dll
[2004/04/02 15:13:34 | 000,163,840 | ---- | C] () -- C:\WINDOWS\System32\nvuaudio.exe
[2004/04/02 15:09:09 | 000,001,181 | ---- | C] () -- C:\WINDOWS\System32\imbrmute.ini
[2004/03/22 11:42:36 | 000,811,008 | ---- | C] () -- C:\WINDOWS\System32\MYCALC.DLL
[2003/11/15 04:23:36 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2003/11/15 04:23:33 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/11/15 04:23:16 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2003/11/15 04:23:16 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2003/11/15 04:22:31 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2003/11/15 04:22:28 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003/11/15 03:57:41 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2003/11/15 03:57:41 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2003/11/15 03:57:39 | 000,004,490 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2003/11/08 01:34:36 | 000,009,216 | ---- | C] () -- C:\WINDOWS\System32\PURGEDRM.dll
[2003/10/14 09:52:37 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/10/14 09:35:01 | 000,000,051 | ---- | C] () -- C:\WINDOWS\System32\mshrml.ini
[2003/10/11 08:51:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\JAWTAccessBridge.dll
[2003/10/11 08:50:32 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\PcdrKernelModeServices.dll
[2003/10/11 08:50:32 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\ProgressTrace.dll
[2003/10/11 08:47:42 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2003/10/11 08:45:41 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\PCDrJNI_1_1.dll
[2003/10/11 08:42:56 | 000,090,112 | R--- | C] () -- C:\WINDOWS\bwUnin-6.2.3.66L.exe
[2003/10/11 08:40:57 | 000,029,222 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2003/10/11 08:40:38 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\syscontr.dll
[2003/10/11 08:40:02 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2003/10/11 08:29:14 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/10/11 08:16:42 | 000,000,907 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2003/10/11 07:34:34 | 000,006,848 | ---- | C] () -- C:\WINDOWS\System32\hphmon05.dat
[2003/10/11 07:34:21 | 000,018,403 | ---- | C] () -- C:\WINDOWS\HPHins01.dat
[2003/10/11 07:34:21 | 000,004,308 | ---- | C] () -- C:\WINDOWS\hphmdl01.dat
[2003/10/11 07:25:05 | 000,034,468 | ---- | C] () -- C:\WINDOWS\hpomdl03.dat
[2003/10/11 07:25:05 | 000,028,885 | ---- | C] () -- C:\WINDOWS\hpoins03.dat
[2003/10/11 07:08:49 | 000,001,040 | ---- | C] () -- C:\WINDOWS\System32\drivers\alcxinit.dat
[2003/10/11 07:07:05 | 000,126,348 | ---- | C] () -- C:\WINDOWS\System32\drivers\nvcap.sys
[2003/10/11 07:05:13 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\sis740.bin
[2003/10/11 07:05:13 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\sis650.bin
[2003/10/11 06:47:37 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/10/11 06:39:21 | 000,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll
[2003/10/11 06:39:21 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll
[2003/10/11 06:39:04 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2003/10/11 06:19:00 | 000,000,905 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/10/11 06:17:38 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2003/10/11 06:14:08 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2003/10/11 06:06:45 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/10/11 06:06:18 | 000,463,448 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2003/10/11 06:06:18 | 000,078,024 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2003/10/11 03:10:46 | 000,000,438 | ---- | C] () -- C:\WINDOWS\System32\1_ssetup.ini
[2003/10/11 03:10:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\sunistlog.ini
[2003/10/11 02:45:39 | 000,001,648 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2003/10/10 23:10:25 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/10/10 23:09:39 | 000,177,856 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/09/23 04:19:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/01/08 01:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/03/19 17:30:00 | 000,216,576 | ---- | C] () -- C:\WINDOWS\System32\PowerCalc.exe
[2000/01/28 01:00:00 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\wrkgadm.exe
[2000/01/28 01:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL
[1999/07/23 14:46:48 | 000,000,116 | ---- | C] () -- C:\WINDOWS\AuHCcup1.ini
[1999/07/23 11:53:20 | 000,129,536 | ---- | C] () -- C:\WINDOWS\AuHCcup1.dll

========== LOP Check ==========

[2006/02/13 22:42:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund
[2008/06/17 22:45:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2008/10/11 21:08:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData
[2010/02/10 16:55:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FileCure
[2004/07/07 13:22:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FullAudio
[2006/08/02 20:19:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Individual Software
[2009/12/26 02:29:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RegCure
[2008/12/11 12:51:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2008/12/11 13:01:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2011/09/24 16:44:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/04/21 00:37:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TrojanHunter
[2007/03/29 22:08:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2004/04/02 16:54:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Acronis
[2011/08/22 18:17:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Blackboard
[2011/01/05 18:39:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Centra
[2011/08/22 18:10:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Collaborate
[2011/08/23 11:59:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\com.Follett.CafeScribe.Offline
[2008/10/12 10:27:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\EPSON
[2009/09/11 10:56:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\GetRightToGo
[2011/05/16 05:21:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\HorizonWimba
[2006/02/13 22:37:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Individual Software
[2003/10/14 09:35:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\interMute
[2004/04/23 12:10:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\InterVideo
[2005/06/03 04:03:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\IsolatedStorage
[2004/04/23 12:06:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Leadertech
[2011/01/06 20:04:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\MyScribe
[2003/10/11 09:03:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SampleView
[2005/01/17 22:14:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Template
[2010/04/21 00:10:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\TrojanHunter
[2007/03/29 22:08:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Viewpoint
[2010/05/07 00:19:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\WinPatrol
[2011/09/28 07:30:09 | 000,030,600 | ---- | M] () -- C:\WINDOWS\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 181 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CF54F1CA
@Alternate Data Stream - 155 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EA029835

< End of report >
 
Extras text

OTL Extras logfile created on: 9/28/2011 8:26:07 PM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 1.16 Gb Available Physical Memory | 77.32% Memory free
2.85 Gb Paging File | 2.72 Gb Available in Paging File | 95.31% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 147.51 Gb Total Space | 125.55 Gb Free Space | 85.11% Space Free | Partition Type: NTFS
Drive D: | 5.14 Gb Total Space | 0.95 Gb Free Space | 18.44% Space Free | Partition Type: FAT32
Drive H: | 7.53 Gb Total Space | 7.52 Gb Free Space | 99.81% Space Free | Partition Type: FAT32

Computer Name: BILLSR | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Real\RealOne Player\realplay.exe" = C:\Program Files\Real\RealOne Player\realplay.exe:*:Disabled:RealPlayer -- (RealNetworks, Inc.)
"C:\WINDOWS\Downloaded Program Files\ccpm_0237.exe" = C:\WINDOWS\Downloaded Program Files\ccpm_0237.exe:*:Enabled:ccpm_exe Module -- ()
"C:\Program Files\HP\HP Software Update\HPWUCli.exe" = C:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Enabled:HP Software Update Client -- (Hewlett-Packard)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{06F80017-8F98-4C94-B868-52358569FC32}" = Command & Conquer Generals
"{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}" = Symantec KB-DocID:2003093015493306
"{092eeeee-9fdd-4895-a568-0818c96beb6c}" = AiO_Scan
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{0D6D96F4-0CAF-4522-B05F-70A88EDECDFD}" = ArcSoft Print Creations
"{14589F05-C658-4594-9429-D437BA688686}" = IntelliMover Data Transfer Demo
"{155FBB0D-0EE9-42D1-9E41-15E08F691033}" = Microsoft Producer for Microsoft Office PowerPoint 2003
"{1D643CD7-4DD6-11D7-A4E0-000874180BB3}" = Microsoft Money 2004
"{1F7CCFA3-D926-4882-B2A5-A0217ED25597}" = PC-Doctor for Windows
"{24ADC0E4-8D3E-40C4-9106-F2DE5E9112F1}" = EPSON Stylus CX8400 Series Scanner Driver Update
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
"{2A267BC6-F77F-4DD4-825F-7AEB1F68B4B1}" = HpSdpAppCoreApp
"{2E132061-C78A-48D4-A899-1D13B9D189FA}" = Memories Disc Creator 2.0
"{2F1FD032-67D1-4569-923F-47EAF132BF0F}" = DocProc
"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0150040}" = J2SE Runtime Environment 5.0 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{39B1915D-3CBA-42F8-8A58-2AB5587BF863}" = Microsoft Office PowerPoint 2003 Template Creation Wizard
"{3CF78481-FB7B-4B51-99A2-D5E0CD0B3AAF}" = HPSystemDiagnostics
"{45B6180B-DCAB-4093-8EE8-6164457517F0}" = Photosmart 140,240,7200,7600,7700,7900 Series
"{463A1D1B-BE4E-F4E0-4C97-538F47578CA0}" = CafeScribe Offline
"{483616D1-867E-46F8-BEC7-3C6475933908}" = Adobe Photoshop Album Starter Edition
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4FB6F304-A91D-4919-98E5-D96E074EA9E5}" = SkinsHP1
"{5421155F-B033-49DB-9B33-8F80F233D4D5}" = GdiplusUpgrade
"{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8}" = Quicken 2004
"{54e854d5-d5d4-452d-9c75-b39f5625b5fb}" = Readme
"{5ADF6293-D60F-4425-AFA7-CEB820DB872B}" = QuickProjects
"{5D7F0A0E-369E-46C0-9F99-FAB21A064781}" = HP Photo and Imaging 2.0 - Photosmart Cameras
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{66C018BD-6F16-4B32-B4CD-1DC1B21FBDFF}" = Zone Deluxe Games
"{66C8BE35-8BBB-472B-96C7-C7C9A499F988}" = ArcSoft Software Suite
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{7148F0A8-6813-11D6-A77B-00B0D0142000}" = Java 2 Runtime Environment, SE v1.4.2
"{7148F0A8-6813-11D6-A77B-00B0D0142060}" = Java 2 Runtime Environment, SE v1.4.2_06
"{7148F0A8-6813-11D6-A77B-00B0D0142180}" = Java 2 Runtime Environment, SE v1.4.2_18
"{745A92AF-53B4-41A7-91C3-9B026B1D5897}" = InstantShare
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{787D1A33-A97B-4245-87C0-7174609A540C}" = HP Update
"{791B20D4-AE59-4DE9-B45F-BA01F3D0A493}" = ArcSoft ShowBiz 2
"{7BBD57D6-09B1-4CC3-9664-A0D53EE25247}" = PSShortcutsP
"{829698DE-9EAC-475E-9A05-B7BA807CA1EF}" = Director
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics Driver
"{8C64E145-54BA-11D6-91B1-00500462BE80}" = Microsoft Money 2004 System Pack
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90150409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Access 2003
"{90AB0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office PowerPoint 2003 Template Pack 1
"{90AC0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office PowerPoint 2003 Template Pack 2
"{90AD0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office PowerPoint 2003 Template Pack 3
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{939227BD-19D8-4684-8A04-31AC9F6A564C}" = Scan
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = RecordNow!
"{98E8A2EF-4EAE-43B8-A172-74842B764777}" = InterVideo WinDVD Player
"{9F4EEA0C-7174-4BD3-89AF-7AB2F9F6AEDD}" = hpmdtab
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A363B66C-1547-47bf-90F0-3834E70A841A}" = CreativeProjects
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.1)
"{AFBBF30D-ADA9-4313-464E-14458B6BE034}" = PhotoshopdotcomInspirationBrowser
"{B37C842A-B624-46B8-A727-654E72F1C91A}" = Calculator Powertoy for Windows XP
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{bb6cac2a-1fa0-471a-bc3c-ade699c39f3c}" = Fax
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{c330461f-c4a9-4fc7-af5d-c158e0b56aa7}" = AiOSoftware
"{C38BC5B7-62D3-4880-82DD-A4803FD81921}" = PhotoGallery
"{C6A7AF96-4EB1-4AAE-8318-1AB393C64F88}" = Microsoft Plus! Digital Media Edition
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CB6075D9-F912-40AE-BEA6-E590DA24F16B}" = Adobe Photoshop Elements 7.0
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE4F8FFB-4063-4247-9F14-ECE61AFEFA25}" = TrayApp
"{CFD1B282-555D-494d-8231-4175C2AF08C2}" = PrintScreen
"{D03E7B00-CA85-4684-9321-1888873C34BD}" = ArcSoft PhotoImpression 6
"{D1D8C9C4-89BE-4f37-9EC4-B80E3C239C41}" = Copy
"{D545BB81-DEB0-49f7-BE26-197BC31AAF57}" = SkinsHP2
"{DF15059E-A356-47B2-B14B-6380ED32AB68}" = Microsoft Baseline Security Analyzer 1.2.1
"{E4ABB302-9D82-4D18-83D5-AD1DFE786AA8}" = Unload
"{ec7d7a6a-31cb-4810-826f-74171bef44f1}" = AIOMinimal
"{F38FA38A-7E5A-4209-88ED-4DE21CD20EEF}" = HP PSC & OfficeJet 3.0
"{F3E9C243-122E-4D6B-ACC1-E1FEC02F6CA1}" = Command and ConquerTM Generals Zero Hour
"{F419D20A-7719-4639-8E30-C073A040D878}" = HP Deskjet Preloaded Printer Drivers
"{FBBF532A-47AC-457d-AC06-0D3163D8911E}" = WebReg
"{FC713618-78C4-4563-9105-B9B503E8A86F}" = Top Comp Calculator
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR
"{FE31A29F-B6E3-4678-8A6F-19F1819A7F52}" = Series 6 Drill and Practice
"Active@ Password Changer Professional" = Active@ Password Changer Professional
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Photoshop Elements 7" = Adobe Photoshop Elements 7.0
"BackWeb-1940576 Uninstaller" = Compaq Connections
"BellSouth® FastAccess® DSL Westell WireSpeed Update_is1" = Westell Firmware Upgrade
"CCleaner" = CCleaner
"CheckIt Diagnostics" = CheckIt Diagnostics
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"com.Follett.CafeScribe.Offline" = CafeScribe Offline
"EPSON Printer and Utilities" = EPSON Printer Software
"EPSON Scanner" = EPSON Scan
"ERUNT_is1" = ERUNT 1.1j
"Free Window Registry Repair" = Free Window Registry Repair
"HijackThis" = HijackThis 1.99.0
"HP Photo & Imaging" = HP Photo & Imaging 3.1
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"InstallShield_{06F80017-8F98-4C94-B868-52358569FC32}" = Command & Conquer Generals
"InstallShield_{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8}" = Quicken 2004
"InstallShield_{F3E9C243-122E-4D6B-ACC1-E1FEC02F6CA1}" = Command and ConquerTM Generals Zero Hour
"InterActual Player" = InterActual Player
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Mah Jong Tiles Deluxe" = Mah Jong Tiles Deluxe
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MS Access 97 SP2" = MS Access 97 SP2
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Music Assistant" = MSN Music Assistant
"MyScribe" = MyScribe
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"NVIDIA Drivers" = NVIDIA Drivers
"PerformanceTest_is1" = PerformanceTest v5.0
"PhotoshopdotcomInspirationBrowser.4C35C4D325D350FE0114230CBADCA2DDD0AC8D25.1" = Adobe Photoshop.com Inspiration Browser
"Pop-Up Stopper Free Edition" = Pop-Up Stopper Free Edition
"PrivacyExpert" = Acronis*PrivacyExpert
"Professor Answers" = Professor Answers
"Professor Teaches Excel 2003" = Professor Teaches Excel 2003
"Professor Teaches PowerPoint 2003" = Professor Teaches PowerPoint 2003
"Professor Teaches Word 2003" = Professor Teaches Word 2003
"PS2" = PS2
"Python 2.2 combined Win32 extensions" = Python 2.2 combined Win32 extensions
"Python 2.2.1" = Python 2.2.1
"RealPlayer 6.0" = RealPlayer
"RegCure" = RegCure
"Registrar Registry Manager (Lite Edition)_is1" = Registrar Registry Manager 4.03
"Registrar Registry Manager 4.03 (Lite Edition)" = Registrar Registry Manager 4.03 (Lite Edition)
"Secunia PSI" = Secunia PSI
"Silent Package Run-Time Sample" = EPSON CX8400 User's Guide
"Sybase SQL Anywhere 7 Personal Server" = Sybase SQL Anywhere 7 Personal Server
"System Security Suite 1.04" = System Security Suite 1.04
"TrojanHunter_is1" = TrojanHunter 5.3
"Tweak UI 2.10" = Tweak UI
"Virtual Magnifying Glass_is1" = Virtual Magnifying Glass v3.4
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 2
"WinPatrol" = WinPatrol 2009
"WMCSetup" = Windows Media Connect
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"WOLAPI" = Westwood Shared Internet Components
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting 4.1.0.366

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/22/2011 1:02:46 AM | Computer Name = BILLSR | Source = MsiInstaller | ID = 11500
Description = Product: VIPRE Antivirus Premium -- Error 1500.Another installation
is in progress. You must complete that installation before continuing this one.

Error - 9/22/2011 1:02:47 AM | Computer Name = BILLSR | Source = MsiInstaller | ID = 11500
Description = Product: VIPRE Antivirus Premium -- Error 1500.Another installation
is in progress. You must complete that installation before continuing this one.

Error - 9/22/2011 1:03:12 AM | Computer Name = BILLSR | Source = MsiInstaller | ID = 11500
Description = Product: VIPRE Antivirus Premium -- Error 1500.Another installation
is in progress. You must complete that installation before continuing this one.

Error - 9/22/2011 1:03:13 AM | Computer Name = BILLSR | Source = MsiInstaller | ID = 11500
Description = Product: VIPRE Antivirus Premium -- Error 1500.Another installation
is in progress. You must complete that installation before continuing this one.

Error - 9/22/2011 1:03:15 AM | Computer Name = BILLSR | Source = MsiInstaller | ID = 11500
Description = Product: VIPRE Antivirus Premium -- Error 1500.Another installation
is in progress. You must complete that installation before continuing this one.

Error - 9/22/2011 1:03:45 AM | Computer Name = BILLSR | Source = MsiInstaller | ID = 11706
Description = Product: VIPRE Antivirus Premium -- Error 1706.No valid source could
be found for product VIPRE Antivirus Premium. The Windows Installer cannot continue.

Error - 9/22/2011 1:04:12 AM | Computer Name = BILLSR | Source = MsiInstaller | ID = 11706
Description = Product: VIPRE Antivirus Premium -- Error 1706.No valid source could
be found for product VIPRE Antivirus Premium. The Windows Installer cannot continue.

Error - 9/22/2011 1:04:25 AM | Computer Name = BILLSR | Source = MsiInstaller | ID = 11706
Description = Product: VIPRE Antivirus Premium -- Error 1706.No valid source could
be found for product VIPRE Antivirus Premium. The Windows Installer cannot continue.

Error - 9/26/2011 1:17:53 AM | Computer Name = BILLSR | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.17055, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/26/2011 1:17:56 AM | Computer Name = BILLSR | Source = Application Hang | ID = 1001
Description = Fault bucket 1878916232.

[ Application Events ]
Error - 9/22/2011 1:02:46 AM | Computer Name = BILLSR | Source = MsiInstaller | ID = 11500
Description = Product: VIPRE Antivirus Premium -- Error 1500.Another installation
is in progress. You must complete that installation before continuing this one.

Error - 9/22/2011 1:02:47 AM | Computer Name = BILLSR | Source = MsiInstaller | ID = 11500
Description = Product: VIPRE Antivirus Premium -- Error 1500.Another installation
is in progress. You must complete that installation before continuing this one.

Error - 9/22/2011 1:03:12 AM | Computer Name = BILLSR | Source = MsiInstaller | ID = 11500
Description = Product: VIPRE Antivirus Premium -- Error 1500.Another installation
is in progress. You must complete that installation before continuing this one.

Error - 9/22/2011 1:03:13 AM | Computer Name = BILLSR | Source = MsiInstaller | ID = 11500
Description = Product: VIPRE Antivirus Premium -- Error 1500.Another installation
is in progress. You must complete that installation before continuing this one.

Error - 9/22/2011 1:03:15 AM | Computer Name = BILLSR | Source = MsiInstaller | ID = 11500
Description = Product: VIPRE Antivirus Premium -- Error 1500.Another installation
is in progress. You must complete that installation before continuing this one.

Error - 9/22/2011 1:03:45 AM | Computer Name = BILLSR | Source = MsiInstaller | ID = 11706
Description = Product: VIPRE Antivirus Premium -- Error 1706.No valid source could
be found for product VIPRE Antivirus Premium. The Windows Installer cannot continue.

Error - 9/22/2011 1:04:12 AM | Computer Name = BILLSR | Source = MsiInstaller | ID = 11706
Description = Product: VIPRE Antivirus Premium -- Error 1706.No valid source could
be found for product VIPRE Antivirus Premium. The Windows Installer cannot continue.

Error - 9/22/2011 1:04:25 AM | Computer Name = BILLSR | Source = MsiInstaller | ID = 11706
Description = Product: VIPRE Antivirus Premium -- Error 1706.No valid source could
be found for product VIPRE Antivirus Premium. The Windows Installer cannot continue.

Error - 9/26/2011 1:17:53 AM | Computer Name = BILLSR | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.17055, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/26/2011 1:17:56 AM | Computer Name = BILLSR | Source = Application Hang | ID = 1001
Description = Fault bucket 1878916232.

[ System Events ]
Error - 9/28/2011 5:54:05 AM | Computer Name = BILLSR | Source = Service Control Manager | ID = 7000
Description = The nVidia WDM Video Capture (universal) service failed to start due
to the following error: %%1058

Error - 9/28/2011 5:54:05 AM | Computer Name = BILLSR | Source = Service Control Manager | ID = 7000
Description = The NVIDIA Driver Helper Service service failed to start due to the
following error: %%3

Error - 9/28/2011 5:54:05 AM | Computer Name = BILLSR | Source = Service Control Manager | ID = 7000
Description = The nVidia WDM A/V Crossbar service failed to start due to the following
error: %%1058

Error - 9/28/2011 5:54:05 AM | Computer Name = BILLSR | Source = Service Control Manager | ID = 7000
Description = The PC Tools Spyware Doctor service failed to start due to the following
error: %%3

Error - 9/28/2011 7:09:43 PM | Computer Name = BILLSR | Source = Service Control Manager | ID = 7000
Description = The EPSON V3 Service4(01) service failed to start due to the following
error: %%3

Error - 9/28/2011 7:09:43 PM | Computer Name = BILLSR | Source = Service Control Manager | ID = 7000
Description = The Java Quick Starter service failed to start due to the following
error: %%3

Error - 9/28/2011 7:09:43 PM | Computer Name = BILLSR | Source = Service Control Manager | ID = 7000
Description = The nVidia WDM Video Capture (universal) service failed to start due
to the following error: %%1058

Error - 9/28/2011 7:09:43 PM | Computer Name = BILLSR | Source = Service Control Manager | ID = 7000
Description = The NVIDIA Driver Helper Service service failed to start due to the
following error: %%3

Error - 9/28/2011 7:09:43 PM | Computer Name = BILLSR | Source = Service Control Manager | ID = 7000
Description = The nVidia WDM A/V Crossbar service failed to start due to the following
error: %%1058

Error - 9/28/2011 7:09:43 PM | Computer Name = BILLSR | Source = Service Control Manager | ID = 7000
Description = The PC Tools Spyware Doctor service failed to start due to the following
error: %%3


< End of report >
 
Hi wmbeyer,

Please download ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    Code: 
    :Services

:OTL
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
[2005/03/23 22:58:46 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
2004/07/21 21:50:11 | 000,000,027 | ---- | C] () -- C:\WINDOWS\FTSL.INI

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[clearallrestorepoints]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
 
run OTL fix

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Bar| /E : value set successfully!
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Search_URL| /E : value set successfully!
C:\WINDOWS\DEBUGSM.INI moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Owner\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Owner\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore points cleared and new OTL Restore Point set!

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 56468 bytes

User: LocalService
->Temp folder emptied: 69932 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: NetworkService
->Temp folder emptied: 34795 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 1354 bytes

User: Owner
->Temp folder emptied: 338996 bytes
->Temporary Internet Files folder emptied: 1760160 bytes
->Java cache emptied: 35471606 bytes
->Flash cache emptied: 714 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 20669 bytes
%systemroot%\System32 .tmp files removed: 4005393 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 35218 bytes
RecycleBin emptied: 110576 bytes

Total Files Cleaned = 40.00 mb


OTL by OldTimer - Version 3.2.29.1 log created on 09292011_160810

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
 
Hi wmbeyer,

Good job running that OTL fix. :bigthumb:

I see that you already have Malwarebytes on your system. Please open that program, Update it and then run Quick Scan. There will be a log produced that I will need in your next reply.
----------

ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.


  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the
    esetOnline.png
    button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on
      esetSmartInstall.png
      to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the
      esetSmartInstallDesktopIcon.png
      icon on your desktop.
  4. Check
    esetAcceptTerms.png
  5. Click the Start button.
  6. Accept any security warnings from your browser.
  7. Check
    esetScanArchives.png
  8. Make sure that the option "Remove found threats" is Unchecked
  9. Push the Start button.
  10. ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  11. When the scan completes, push
    esetListThreats.png
  12. Push
    esetExport.png
    , and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  13. Push the Back button.
  14. Push Finish
http://www.eset.com/onlinescan/
----------

In your next reply please post the logs created by Malwarebytes and ESET Online Scanner. :)
 
Both Malware and Eset detected

Malware Bytes and Eset found different viruses

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7837

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

9/30/2011 7:45:10 PM
mbam-log-2011-09-30 (19-45-10).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 283192
Time elapsed: 29 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\WINDOWS\system32\dwwigpwd.dll.vir (Backdoor.Papras) -> Quarantined and deleted successfully.

ESet Scan

C:\WINDOWS\system32\drivers\mrxsmb.svs Win32/Rootkit.Agent.NUT trojan
 
Hi wmbeyer,

The entry that Malwarebytes is actually already quarantined by ComboFix and we will be removing that when we uninstall ComboFix. :)

Let's get rid of that other though...

Go to Start > Run > type cmd > press Enter. This will open the command prompt. I would like for you to copy/paste the following bolded text into the command prompt and press Enter.

del C:\WINDOWS\system32\drivers\mrxsmb.svs /f /q
----------

I notice that you are using Windows XP with Service Pack 2. The most recent version of Windows XP is Service Pack 3. Please open Internet Explorer and go to Tools > Windows Update and then download and install all updates.
----------

Please download JavaRa to your desktop and unzip it to its own
folder
  • Run JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista), pick the language of your choice and click Select. Then
    click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista) again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest
    Java Runtime Environment (JRE) version for your computer.
----------

I would like for you to run DDS once more and post both of the logs that are created into your next reply.
 
Status
Not open for further replies.
Back
Top